PHP bundles the Perl-Compatible Regular Expressions (PCRE) library for RegExp parsing, which SecurityCenter implements. PHP 5.6.18 was released that fixes a variety of issues in the bundled PCRE library, that includes: CVE-2015-8383 - PCRE RegExp Repeated Conditional Group Handling Buffer Overflow DoS CVE-2015-8386 - PCRE lookbehind Assertion Mutual Recursion Handling Stack Overflow DoS CVE-2015-8387 - PCRE RegExp Subroutine Call Handling Integer Overflow DoS CVE-2015-8389 - PCRE RegExp Pattern Handling Infinite Recursion DoS CVE-2015-8390 - PCRE RegExp Character Class Substring Handling Uninitialized Memory Read DoS CVE-2015-8393 - PCRE pcregrep Binary File -q Option Handling Information Disclosure CVE-2015-8394 - PCRE RegExp digits Conditions Handling Integer Overflow DoS CVE-2015-8391 - PCRE pcre_compile.c pcre_compile() Function RegExp Nesting Handling CPU Consumption DoS Due to the amount of time required to follow user input tracing to determine if these issues actually affect SecurityCenter, Tenable opted to upgrade PHP instead, as a precautionary measure. Note that the CVSS score in this advisory reflects the highest risk of the issues included, as it may potentially impact SecurityCenter. Please note that Tenable strongly recommends that SecurityCenter be installed on a subnet that is not Internet addressable.
Vulmon