Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0202 OpenSSL and PHP updates for Tenable SecurityCenter 20 November 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tenable SecurityCenter Operating System: Linux variants Network Appliance Virtualisation Impact/Access: Denial of Service -- Existing Account Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-3736 CVE-2017-3735 CVE-2017-1283 Member content until: Wednesday, December 20 2017 OVERVIEW Multiple vulnerabilities have been identified in supporting software bundled with Tenable SecurityCenter versions 5.6.0.1. [1] IMPACT The vendor has provided the following details regarding these issues: " * PCRE Library Heap Overflow Vulnerability (CVE-2016-1283) [2] * OpenSSL Security Bypass Vulnerability (CVE-2017-3735) [3] * OpenSSL Information Disclosure Vulnerability (CVE-2017-3736) [4]" [1] MITIGATION Tenable advises users that SecurityCenter 5.6.0.1 was released to address these issues. It updates PHP to 5.6.32 and OpenSSL to 1.0.2m. [1] The new version is available from Tenable Support Center. [5] REFERENCES [1] Security update https://www.tenable.com/security/tns-2017-14 [2] NVD - CVE-2016-1283 https://nvd.nist.gov/vuln/detail/CVE-2016-1283 [3] NVD - CVE-2017-3735 https://nvd.nist.gov/vuln/detail/CVE-2017-3735 [4] NVD - CVE-2017-3736 https://nvd.nist.gov/vuln/detail/CVE-2017-3736 [5] Tenable Support Portal https://support.tenable.com/support-center/index.php?x=&mod_id=160 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWhJuR4x+lLeg9Ub1AQjlug/+OnSNnZQAaC3Z0JJlxKjd0crMFO0qrcaY 110EarYmi9CbdRjF4wXZOZB6UxXk190EfgduuAtCcc/rYpSLfho0WKfCuD8uwJez oIIDdBM9upI/KOgUCxt8h+efYmOoYqXoBDP+/B5EJx3Be5YKnA2LFSZ3vUGQw+km 4l5M+o7yblnGXpzF5jp4uG5IHuUlYHzGizBPFSLIwXHIvG9qMEhbOowWTwsP7ism aijsqJQv7ZHBr493Etla6XWcysGy6RmyfMZKPQWcZdGKhnMaTvABfctABPQYHsXZ LPsE1fmwyxInTqbEyELEX6/2Wct0jD0F4nlADq3vpel0UFKM9KArnpwdd4QsqnU9 75WqAGXDgKtz1OGmUB7lBMo88dmK2LNN/23fKHqjXh8uppGLGe/KFYYvgk6Oq7YD JZQm+jfj1jrbq0zG39OSumWjclF97VBAHsjDRNJrNYeagsQwHKYOZk2rZs2qYmek YnS4zxeD2QiGV0+6sUDdYNiHFvYfXfv3mPrWddKjL9ZRQEmKRXS6bwGZw5OeC3Uo J6G0cgxE5En7U2pJg7/DA8EKshCMevWeozS2RPbhPQRuzEYG4MFuVX5J6qssls8F w/XkDkzAVIl8t4ooPGJiyotH4FI8GZzsjJjvP3kv33OvxqnRIdirMj49+SnEZPfU S/FzjjE7pog= =JuQd -----END PGP SIGNATURE-----