Amazon Linux AMI : php (ALAS-2013-262)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP
before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not
properly parse (1) notBefore and (2) notAfter timestamps in X.509
certificates, which allows remote attackers to execute arbitrary code
or cause a denial of service (memory corruption) via a crafted
certificate that is not properly handled by the openssl_x509_parse
function.

See also :

http://www.nessus.org/u?c617ce22

Solution :

Run 'yum update php' to update your system.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 71574 ()

Bugtraq ID:

CVE ID: CVE-2013-6420