-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0202
            OpenSSL and PHP updates for Tenable SecurityCenter
                             20 November 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Tenable SecurityCenter
Operating System:     Linux variants
                      Network Appliance
                      Virtualisation
Impact/Access:        Denial of Service              -- Existing Account            
                      Provide Misleading Information -- Remote with User Interaction
                      Access Confidential Data       -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2017-3736 CVE-2017-3735 CVE-2017-1283
Member content until: Wednesday, December 20 2017

OVERVIEW

        Multiple vulnerabilities have been identified in supporting software
        bundled with Tenable SecurityCenter versions 5.6.0.1. [1]


IMPACT

        The vendor has provided the following details regarding these issues:
        
        " * PCRE Library Heap Overflow Vulnerability (CVE-2016-1283)     [2]
          * OpenSSL Security Bypass Vulnerability (CVE-2017-3735)        [3]
          * OpenSSL Information Disclosure Vulnerability (CVE-2017-3736) [4]"
        [1]


MITIGATION

        Tenable advises users that SecurityCenter 5.6.0.1 was released to
        address these issues. It updates PHP to 5.6.32 and OpenSSL to 1.0.2m.
        [1]
        
        The new version is available from Tenable Support Center. [5]


REFERENCES

        [1] Security update
            https://www.tenable.com/security/tns-2017-14

        [2] NVD - CVE-2016-1283
            https://nvd.nist.gov/vuln/detail/CVE-2016-1283

        [3] NVD - CVE-2017-3735
            https://nvd.nist.gov/vuln/detail/CVE-2017-3735

        [4] NVD - CVE-2017-3736
            https://nvd.nist.gov/vuln/detail/CVE-2017-3736

        [5] Tenable Support Portal
            https://support.tenable.com/support-center/index.php?x=&mod_id=160

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWhJuR4x+lLeg9Ub1AQjlug/+OnSNnZQAaC3Z0JJlxKjd0crMFO0qrcaY
110EarYmi9CbdRjF4wXZOZB6UxXk190EfgduuAtCcc/rYpSLfho0WKfCuD8uwJez
oIIDdBM9upI/KOgUCxt8h+efYmOoYqXoBDP+/B5EJx3Be5YKnA2LFSZ3vUGQw+km
4l5M+o7yblnGXpzF5jp4uG5IHuUlYHzGizBPFSLIwXHIvG9qMEhbOowWTwsP7ism
aijsqJQv7ZHBr493Etla6XWcysGy6RmyfMZKPQWcZdGKhnMaTvABfctABPQYHsXZ
LPsE1fmwyxInTqbEyELEX6/2Wct0jD0F4nlADq3vpel0UFKM9KArnpwdd4QsqnU9
75WqAGXDgKtz1OGmUB7lBMo88dmK2LNN/23fKHqjXh8uppGLGe/KFYYvgk6Oq7YD
JZQm+jfj1jrbq0zG39OSumWjclF97VBAHsjDRNJrNYeagsQwHKYOZk2rZs2qYmek
YnS4zxeD2QiGV0+6sUDdYNiHFvYfXfv3mPrWddKjL9ZRQEmKRXS6bwGZw5OeC3Uo
J6G0cgxE5En7U2pJg7/DA8EKshCMevWeozS2RPbhPQRuzEYG4MFuVX5J6qssls8F
w/XkDkzAVIl8t4ooPGJiyotH4FI8GZzsjJjvP3kv33OvxqnRIdirMj49+SnEZPfU
S/FzjjE7pog=
=JuQd
-----END PGP SIGNATURE-----