sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:1066 advisory.

  - php: use after free vulnerability in unserialize() (CVE-2014-8142)

  - php: out of bounds read when parsing a crafted .php file (CVE-2014-9427)

  - file: out of bounds read in mconvert() (CVE-2014-9652)

  - php: heap buffer overflow in enchant_broker_request_dict() (CVE-2014-9705)

  - gd: buffer read overflow in gd_gif_in.c (CVE-2014-9709)

  - php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142) (CVE-2015-0231)

  - php: Free called on unitialized pointer in exif.c (CVE-2015-0232)

  - php: use after free vulnerability in unserialize() with DateTimeZone (CVE-2015-0273)

  - php: use after free in opcache extension (CVE-2015-1351)

  - php: use after free in phar_object.c (CVE-2015-2301)

  - regex: heap overflow in regcomp() on 32-bit architectures (CVE-2015-2305)

  - php: move_uploaded_file() NUL byte injection in file name (CVE-2015-2348)

  - php: buffer over-read in Phar metadata parsing (CVE-2015-2783)

  - php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re     (CVE-2015-2787)

  - php: invalid pointer free() in phar_tar_process_metadata() (CVE-2015-3307)

  - php: buffer overflow in phar_set_inode() (CVE-2015-3329)

  - php: pipelined request executed in deinitialized interpreter under httpd 2.4 (CVE-2015-3330)

  - php: missing null byte checks for paths in various PHP extensions (CVE-2015-3411, CVE-2015-3412)

  - php: SoapClient's __call() type confusion through unserialize() (CVE-2015-4147)

  - php: SoapClient's do_soap_call() type confusion after unserialize() (CVE-2015-4148)

  - php: type confusion issue in unserialize() with various SOAP methods (CVE-2015-4599, CVE-2015-4600,     CVE-2015-4601)

  - php: Incomplete Class unserialization type confusion (CVE-2015-4602)

  - php: exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603)

  - php: denial of service when processing a crafted file with Fileinfo (CVE-2015-4604, CVE-2015-4605)

  - php: HTTP response splitting in header() function (CVE-2015-8935)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-1066 advisory.

  - Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in     PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute     arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within     the serialized properties of an object, a different vulnerability than CVE-2004-1019. (CVE-2014-8142)

  - The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before     5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length     field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause     a denial of service (out-of-bounds memory access and application crash) via a crafted file.
    (CVE-2014-9652)

  - Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP     before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary     code via vectors that trigger creation of multiple dictionaries. (CVE-2014-9705)

  - The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x     before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application     crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
    (CVE-2014-9709)

  - Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in     PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute     arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys     within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete     fix for CVE-2014-8142. (CVE-2015-0231)

  - The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x     before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized     pointer free and application crash) via crafted EXIF data in a JPEG image. (CVE-2015-0232)

  - Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22,     and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input     containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the     php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the     php_date_initialize_from_hash function. (CVE-2015-0273)

  - Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and     5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other     impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.
    (CVE-2015-2301)

  - The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before     5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows     remote attackers to bypass intended extension restrictions and create files with unexpected names via a     crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
    (CVE-2015-2348)

  - ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers     to obtain sensitive information from process memory or cause a denial of service (buffer over-read and     application crash) via a crafted length value in conjunction with crafted serialized data in a phar     archive, related to the phar_parse_metadata and phar_parse_pharfile functions. (CVE-2015-2783)

  - Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in     PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute     arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup     function, a related issue to CVE-2015-0231. (CVE-2015-2787)

  - The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x     before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly     have unspecified other impact via a crafted tar archive. (CVE-2015-3307)

  - Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before     5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a     crafted length value in a (1) tar, (2) phar, or (3) ZIP archive. (CVE-2015-3329)

  - The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24,     and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to cause a     denial of service (application crash) or possibly execute arbitrary code via pipelined HTTP requests that     result in a deconfigured interpreter. (CVE-2015-3330)

  - PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00     sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an     application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the     finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that     bypasses an intended configuration in which client users may read only .xml files. (CVE-2015-3411)

  - PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00     sequences, which might allow remote attackers to read arbitrary files via crafted input to an application     that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a     filename\0.extension attack that bypasses an intended configuration in which client users may read files     with only one specific extension. (CVE-2015-3412)

  - The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x     before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute     arbitrary code by providing crafted serialized data with an unexpected data type, related to a type     confusion issue. (CVE-2015-4147)

  - The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before     5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive     information by providing crafted serialized data with an int data type, related to a type confusion     issue. (CVE-2015-4148)

  - The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x     before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service     (application crash), or possibly execute arbitrary code via an unexpected data type, related to a type     confusion issue. (CVE-2015-4599)

  - The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows     remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via     an unexpected data type, related to type confusion issues in the (1) SoapClient::__getLastRequest, (2)     SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4)     SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie     methods. (CVE-2015-4600)

  - PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly     execute arbitrary code via an unexpected data type, related to type confusion issues in (1)     ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than     CVE-2015-4600. (CVE-2015-4601)

  - The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before     5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or     possibly execute arbitrary code via an unexpected data type, related to a type confusion issue.
    (CVE-2015-4602)

  - The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before     5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data     type, related to a type confusion issue. (CVE-2015-4603)

  - The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40,     5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship,     which allows remote attackers to cause a denial of service (application crash) or possibly execute     arbitrary code via a crafted string that is mishandled by a Python script text executable rule.
    (CVE-2015-4604)

  - The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40,     5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which     allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary     code via a crafted string that is mishandled by a Python script text executable rule. (CVE-2015-4605)

  - sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through     5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during     processing of an invalid file that begins with a # character and lacks a newline character, which causes     an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi     process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if     a valid PHP script is present in memory locations adjacent to the mapping. (CVE-2014-9427)

  - Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache     extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have     unspecified other impact via unknown vectors. (CVE-2015-1351)

  - Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer)     alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-     dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based     buffer overflow. (CVE-2015-2305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-1053 advisory.

  - Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in     PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute     arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within     the serialized properties of an object, a different vulnerability than CVE-2004-1019. (CVE-2014-8142)

  - The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before     5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length     field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause     a denial of service (out-of-bounds memory access and application crash) via a crafted file.
    (CVE-2014-9652)

  - Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP     before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary     code via vectors that trigger creation of multiple dictionaries. (CVE-2014-9705)

  - The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x     before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application     crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
    (CVE-2014-9709)

  - Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in     PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute     arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys     within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete     fix for CVE-2014-8142. (CVE-2015-0231)

  - The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x     before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized     pointer free and application crash) via crafted EXIF data in a JPEG image. (CVE-2015-0232)

  - Multiple use-after-free vulnerabilities in ext/date/php_date.c in PHP before 5.4.38, 5.5.x before 5.5.22,     and 5.6.x before 5.6.6 allow remote attackers to execute arbitrary code via crafted serialized input     containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the     php_date_timezone_initialize_from_hash function or (b) DateTime data handled by the     php_date_initialize_from_hash function. (CVE-2015-0273)

  - Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and     5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other     impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.
    (CVE-2015-2301)

  - The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before     5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows     remote attackers to bypass intended extension restrictions and create files with unexpected names via a     crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
    (CVE-2015-2348)

  - Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in     PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute     arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup     function, a related issue to CVE-2015-0231. (CVE-2015-2787)

  - The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x     before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute     arbitrary code by providing crafted serialized data with an unexpected data type, related to a type     confusion issue. (CVE-2015-4147)

  - The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before     5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive     information by providing crafted serialized data with an int data type, related to a type confusion     issue. (CVE-2015-4148)

  - The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x     before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service     (application crash), or possibly execute arbitrary code via an unexpected data type, related to a type     confusion issue. (CVE-2015-4599)

  - The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows     remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via     an unexpected data type, related to type confusion issues in the (1) SoapClient::__getLastRequest, (2)     SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4)     SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie     methods. (CVE-2015-4600)

  - PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly     execute arbitrary code via an unexpected data type, related to type confusion issues in (1)     ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than     CVE-2015-4600. (CVE-2015-4601)

  - sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through     5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during     processing of an invalid file that begins with a # character and lacks a newline character, which causes     an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi     process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if     a valid PHP script is present in memory locations adjacent to the mapping. (CVE-2014-9427)

  - Use-after-free vulnerability in the _zend_shared_memdup function in zend_shared_alloc.c in the OPcache     extension in PHP through 5.6.7 allows remote attackers to cause a denial of service or possibly have     unspecified other impact via unknown vectors. (CVE-2015-1351)

  - The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does     not validate token extraction for table names, which allows remote attackers to cause a denial of service     (NULL pointer dereference and application crash) via a crafted name. (CVE-2015-1352)

  - Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer)     alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-     dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based     buffer overflow. (CVE-2015-2305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the php packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An integer underflow flaw leading to out-of-bounds     memory access was found in the way PHP's Phar extension     parsed Phar archives. A specially crafted archive could     cause PHP to crash or, possibly, execute arbitrary code     when opened.(CVE-2015-4021)

  - An out of bounds read flaw was found in the way the     xmlrpc extension parsed dates in the ISO 8601 format. A     specially crafted XML-RPC request or response could     possibly cause a PHP application to     crash.(CVE-2014-3668)

  - It was found that certain PHP functions did not     properly handle file names containing a NULL character.
    A remote attacker could possibly use this flaw to make     a PHP script access unexpected files and bypass     intended file system access     restrictions.(CVE-2015-4598)

  - A flaw was found in the way PHP handled malformed     source files when running in CGI mode. A specially     crafted PHP file could cause PHP CGI to     crash.(CVE-2014-9427)

  - An issue was discovered in PHP before 5.6.36, 7.0.x     before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before     7.2.5. ext/ldap/ldap.c allows remote LDAP servers to     cause a denial of service (NULL pointer dereference and     application crash) because of mishandling of the     ldap_get_dn return value.(CVE-2018-10548)

  - An infinite loop vulnerability was found in     ext/iconv/iconv.c in PHP due to the iconv stream not     rejecting invalid multibyte sequences. A remote     attacker could use this vulnerability to hang the php     process and consume resources.(CVE-2018-10546)

  - The openssl_x509_parse function in openssl.c in the     OpenSSL module in PHP before 5.4.18 and 5.5.x before     5.5.2 does not properly handle a '\\0' character in a     domain name in the Subject Alternative Name field of an     X.509 certificate, which allows man-in-the-middle     attackers to spoof arbitrary SSL servers via a crafted     certificate issued by a legitimate Certification     Authority, a related issue to     CVE-2009-2408.(CVE-2013-4248)

  - A use-after-free flaw was found in the way PHP's     unserialize() function processed data. If a remote     attacker was able to pass crafted input to PHP's     unserialize() function, they could cause the PHP     interpreter to crash or, possibly, execute arbitrary     code.(CVE-2015-0231)

  - A flaw was discovered in the way PHP performed object     unserialization. Specially crafted input processed by     the unserialize() function could cause a PHP     application to crash or, possibly, execute arbitrary     code.(CVE-2015-4602)

  - It was found that certain PHP functions did not     properly handle file names containing a NULL character.
    A remote attacker could possibly use this flaw to make     a PHP script access unexpected files and bypass     intended file system access     restrictions.(CVE-2015-3412)

  - The mcopy function in softmagic.c in file 5.x, as used     in the Fileinfo component in PHP before 5.4.40, 5.5.x     before 5.5.24, and 5.6.x before 5.6.8, does not     properly restrict a certain offset value, which allows     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted string that is mishandled by a 'Python     script text executable' rule.(CVE-2015-4605)

  - A heap buffer overflow flaw was found in the     enchant_broker_request_dict() function of PHP's enchant     extension. A specially crafted tag input could possibly     cause a PHP application to crash.(CVE-2014-9705)

  - A buffer overflow flaw was found in the Exif extension.
    A specially crafted JPEG or TIFF file could cause a PHP     application using the exif_thumbnail() function to     crash or, possibly, execute arbitrary code with the     privileges of the user running that PHP     application.(CVE-2014-3670)

  - A flaws was discovered in the way PHP performed object     unserialization. Specially crafted input processed by     the unserialize() function could cause a PHP     application to crash or, possibly, execute arbitrary     code.(CVE-2015-4148)

  - A type confusion issue was found in the SPL ArrayObject     and SPLObjectStorage classes' unserialize() method. A     remote attacker able to submit specially crafted input     to a PHP application, which would then unserialize this     input using one of the aforementioned methods, could     use this flaw to execute arbitrary code with the     privileges of the user running that PHP     application.(CVE-2014-3515)

  - The mget function in softmagic.c in file 5.x, as used     in the Fileinfo component in PHP before 5.4.40, 5.5.x     before 5.5.24, and 5.6.x before 5.6.8, does not     properly maintain a certain pointer relationship, which     allows remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted string that is mishandled by a 'Python     script text executable' rule.(CVE-2015-4604)

  - A NULL pointer dereference flaw was found in the     gdImageCreateFromXpm() function of PHP's gd extension.
    A remote attacker could use this flaw to crash a PHP     application using gd via a specially crafted X PixMap     (XPM) file.(CVE-2014-2497)

  - A flaw was found in the way PHP parsed multipart HTTP     POST requests. A specially crafted request could cause     PHP to use an excessive amount of CPU     time.(CVE-2015-4024)

  - Multiple flaws were discovered in the way PHP's Soap     extension performed object unserialization. Specially     crafted input processed by the unserialize() function     could cause a PHP application to disclose portion of     its memory or crash.(CVE-2015-4599)

  - A flaw was discovered in the way PHP performed object     unserialization. Specially crafted input processed by     the unserialize() function could cause a PHP     application to crash or, possibly, execute arbitrary     code.(CVE-2015-4603)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.5. It is, therefore, affected by multiple vulnerabilities:

 - An out-of-bounds read flaw in file 'cgi_main.c' exists when nmap is used to process an invalid file that begins with a hash character (#) but lacks a newline character. A remote attacker, using a specially crafted PHP file, can exploit this vulnerability to disclose memory contents, cause a denial of service, or possibly execute code. (CVE-2014-9427)

 - An out-of-bounds read issue exists in the GetCode_() function in 'gd_gif_in.c'. This allows a remote attacker to disclose memory contents. (CVE-2014-9709)

 - A use-after-free memory error exists in the process_nested_data() function in 'var_unserializer.re' due to improper handling of duplicate numerical keys within the serialized properties of an object. A remote attacker, using a crafted unserialize method call, can exploit this vulnerability to execute arbitrary code. (CVE-2015-0231)

 - A flaw exists in the exif_process_unicode() function in 'exif.c' that allows freeing an uninitialized pointer. A remote attacker, using specially crafted EXIF data in a JPEG image, can exploit this to cause a denial of service or to execute arbitrary code. (CVE-2015-0232)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

php5 was updated to fix four security issues.

These security issues were fixed :

  - CVE-2015-0231: Use-after-free vulnerability in the     process_nested_data function in     ext/standard/var_unserializer.re in PHP before 5.4.37,     5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed     remote attackers to execute arbitrary code via a crafted     unserialize call that leverages improper handling of     duplicate numerical keys within the serialized     properties of an object. NOTE: this vulnerability exists     because of an incomplete fix for CVE-2014-8142     (bnc#910659).

  - CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component     in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x     through 5.6.4, when mmap is used to read a .php file,     did not properly consider the mapping's length during     processing of an invalid file that begins with a #     character and lacks a newline character, which caused an     out-of-bounds read and might (1) allow remote attackers     to obtain sensitive information from php-cgi process     memory by leveraging the ability to upload a .php file     or (2) trigger unexpected code execution if a valid PHP     script is present in memory locations adjacent to the     mapping (bnc#911664).

  - CVE-2015-0232: The exif_process_unicode function in     ext/exif/exif.c in PHP before 5.4.37, 5.5.x before     5.5.21, and 5.6.x before 5.6.5 allowed remote attackers     to execute arbitrary code or cause a denial of service     (uninitialized pointer free and application crash) via     crafted EXIF data in a JPEG image (bnc#914690).

  - CVE-2014-8142: Use-after-free vulnerability in the     process_nested_data function in     ext/standard/var_unserializer.re in PHP before 5.4.36,     5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed     remote attackers to execute arbitrary code via a crafted     unserialize call that leverages improper handling of     duplicate keys within the serialized properties of an     object, a different vulnerability than CVE-2004-1019     (bnc#910659).

Additionally a fix was included that protects against a possible NULL pointer use (bnc#910659).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11 and is affected by multiple vulnerabilities in the following components : 

 - Address Book 
 - AirScan 
 - apache_mod_php 
 - Apple Online Store Kit 
 - AppleEvents 
 - Audio 
 - bash 
 - Certificate Trust Policy 
 - CFNetwork Cookies - CFNetwork FTPProtocol 
 - CFNetwork HTTPProtocol 
 - CFNetwork Proxies 
 - CFNetwork SSL 
 - CoreCrypto 
 - CoreText 
 - Dev Tools 
 - Disk Images 
 - dyld 
 - EFI 
 - Finder 
 - Game Center 
 - Heimdal 
 - ICU 
 - Install Framework Legacy 
 - Intel Graphics Driver 
 - IOAudioFamily 
 - IOGraphics 
 - IOHIDFamily 
 - IOStorageFamily 
 - Kernel 
 - libc 
 - libpthread 
 - libxpc 
 - Login Window 
 - lukemftpd 
 - Mail 
 - Multipeer Connectivity 
 - NetworkExtension 
 - Notes 
 - OpenSSH 
 - OpenSSL 
 - procmail 
 - remote_cmds 
 - removefile 
 - Ruby 
 - Safari 
 - Safari Downloads 
 - Safari Extensions 
 - Safari Safe Browsing 
 - Security 
 - SMB 
 - SQLite 
 - Telephony 
 - Terminal 
 - tidy 
 - Time Machine 
 - WebKit 
 - WebKit CSS 
 - WebKit JavaScript Bindings 
 - WebKit Page Loading 
 - WebKit Plug-ins

The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components :

  - Address Book
  - AirScan
  - apache_mod_php
  - Apple Online Store Kit
  - AppleEvents
  - Audio
  - bash
  - Certificate Trust Policy
  - CFNetwork Cookies
  - CFNetwork FTPProtocol
  - CFNetwork HTTPProtocol
  - CFNetwork Proxies
  - CFNetwork SSL
  - CoreCrypto
  - CoreText
  - Dev Tools
  - Disk Images
  - dyld
  - EFI
  - Finder
  - Game Center
  - Heimdal
  - ICU
  - Install Framework Legacy
  - Intel Graphics Driver
  - IOAudioFamily
  - IOGraphics
  - IOHIDFamily
  - IOStorageFamily
  - Kernel
  - libc
  - libpthread
  - libxpc
  - Login Window
  - lukemftpd
  - Mail
  - Multipeer Connectivity
  - NetworkExtension
  - Notes
  - OpenSSH
  - OpenSSL
  - procmail
  - remote_cmds
  - removefile
  - Ruby
  - Safari
  - Safari Downloads
  - Safari Extensions
  - Safari Safe Browsing
  - Security
  - SMB
  - SQLite
  - Telephony
  - Terminal
  - tidy
  - Time Machine
  - WebKit
  - WebKit CSS
  - WebKit JavaScript Bindings
  - WebKit Page Loading
  - WebKit Plug-ins

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.5.0. It is, therefore, affected by multiple vulnerabilities :

  - A flaw exists within the 'mod_deflate' module when     handling highly compressed bodies. A remote attacker can     exploit this, via a specially crafted request, to     exhaust memory and CPU resources, resulting in a denial     of service condition. (CVE-2014-0118)

  - The 'mod_status' module contains a race condition that     can be triggered when handling the scoreboard. A remote     attacker can exploit this to cause a denial of service,     execute arbitrary code, or obtain sensitive credential     information. (CVE-2014-0226)

  - The 'mod_cgid' module lacks a time out mechanism. A     remote attacker can exploit this, via a specially     crafted request, to cause child processes to linger     indefinitely, filling up the scoreboard and resulting in     a denial of service vulnerability. (CVE-2014-0231)

  - A flaw exists in WinNT MPM versions 2.4.1 to 2.4.9 when     using the default AcceptFilter. An attacker can exploit     this, via specially crafted requests. to create a memory     leak, resulting in a denial of service condition.
    (CVE-2014-3523)

  - A NULL pointer dereference flaw exists when the SSLv3     option isn't enabled and an SSLv3 ClientHello is     received. This allows a remote attacker, using an     unexpected handshake, to crash the daemon, resulting in     a denial of service. (CVE-2014-3569)

  - The BIGNUM squaring (BN_sqr) implementation does not     properly calculate the square of a BIGNUM value. This     allows remote attackers to defeat cryptographic     protection mechanisms. (CVE-2014-3570)

  - A NULL pointer dereference flaw exists in the     dtls1_get_record() function when handling DTLS messages.
    A remote attacker, using a specially crafted DTLS     message, can cause a denial of service. (CVE-2014-3571)

  - A flaw exists with ECDH handshakes when using an ECDSA     certificate without a ServerKeyExchange message. This     allows a remote attacker to trigger a loss of forward     secrecy from the ciphersuite. (CVE-2014-3572)

  - A use-after-free error exists in the     'process_nested_data' function within     'ext/standard/var_unserializer.re' due to improper     handling of duplicate keys within the serialized     properties of an object. A remote attacker, using a     specially crafted call to the 'unserialize' method, can     exploit this flaw to execute arbitrary code on the     system. (CVE-2014-8142)

  - A flaw exists when accepting non-DER variations of     certificate signature algorithms and signature encodings     due to a lack of enforcement of matches between signed     and unsigned portions. A remote attacker, by including     crafted data within a certificate's unsigned portion,     can bypass fingerprint-based certificate-blacklist     protection mechanisms. (CVE-2014-8275)

  - An out-of-bounds read flaw in file 'cgi_main.c' exists     when nmap is used to process an invalid file that begins     with a hash character (#) but lacks a newline character.
    A remote attacker, using a specially crafted PHP file,     can exploit this vulnerability to disclose memory     contents, cause a denial of service, or possibly execute     code. (CVE-2014-9427)

  - An out-of-bounds read error exists in the Fine Free File     component that is bundled with PHP. A remote attacker     can exploit this to cause a denial of service condition     or the disclosure of sensitive information.
    (CVE-2014-9652)

  - A memory corruption issue exists in the Fine Free File     component that is bundled with PHP. A remote attacker     can exploit this to cause an unspecified impact.
    (CVE-2014-9653)

  - A heap buffer overflow condition exists in PHP in the     enchant_broker_request_dict() function due to improper     validation of user-supplied input. An attacker can     exploit this to cause a denial of service condition or     the execution of arbitrary code. (CVE-2014-9705)

  - A security feature bypass vulnerability, known as FREAK     (Factoring attack on RSA-EXPORT Keys), exists due to the     support of weak EXPORT_RSA cipher suites with keys less     than or equal to 512 bits. A man-in-the-middle attacker     may be able to downgrade the SSL/TLS connection to use     EXPORT_RSA cipher suites which can be factored in a     short amount of time, allowing the attacker to intercept     and decrypt the traffic. (CVE-2015-0204)

  - A flaw exists when accepting DH certificates for client     authentication without the CertificateVerify message.
    This allows a remote attacker to authenticate to the     service without a private key. (CVE-2015-0205)

  - A memory leak occurs in dtls1_buffer_record()     when handling a saturation of DTLS records containing     the same number sequence but for the next epoch. This     allows a remote attacker to cause a denial of service.
    (CVE-2015-0206)

  - A flaw exists in the DTLSv1_listen() function due to     state being preserved in the SSL object from one     invocation to the next. A remote attacker can exploit     this, via crafted DTLS traffic, to cause a segmentation     fault, resulting in a denial of service.
    (CVE-2015-0207)

  - A flaw exists in the rsa_item_verify() function due to     improper implementation of ASN.1 signature verification.
    A remote attacker can exploit this, via an ASN.1     signature using the RSA PSS algorithm and invalid     parameters, to cause a NULL pointer dereference,     resulting in a denial of service. (CVE-2015-0208)

  - A use-after-free condition exists in the     d2i_ECPrivateKey() function due to improper processing     of malformed EC private key files during import. A     remote attacker can exploit this to dereference or free     already freed memory, resulting in a denial of service     or other unspecified impact. (CVE-2015-0209)

  - A use-after-free memory error exists in the     process_nested_data() function in 'var_unserializer.re'     due to improper handling of duplicate numerical keys     within the serialized properties of an object. A remote     attacker, using a crafted unserialize method call, can     exploit this vulnerability to execute arbitrary code.
    (CVE-2015-0231)

  - A flaw exists in the exif_process_unicode() function in     'exif.c' that allows freeing an uninitialized pointer. A     remote attacker, using specially crafted EXIF data in a     JPEG image, can exploit this to cause a denial of     service or to execute arbitrary code. (CVE-2015-0232)

  - A use-after-free flaw exists in the function     php_date_timezone_initialize_from_hash() within the     'ext/date/php_date.c' script. An attacker can exploit     this to access sensitive information or crash     applications linked to PHP. (CVE-2015-0273)

  - A flaw exists in the ssl3_client_hello() function due to     improper validation of a PRNG seed before proceeding     with a handshake, resulting in insufficient entropy and     predictable output. This allows a man-in-the-middle     attacker to defeat cryptographic protection mechanisms     via a brute-force attack, resulting in the disclosure of     sensitive information. (CVE-2015-0285)

  - An invalid read error exists in the ASN1_TYPE_cmp()     function due to improperly performed boolean-type     comparisons. A remote attacker can exploit this, via a     crafted X.509 certificate to an endpoint that uses the     certificate-verification feature, to cause an invalid     read operation, resulting in a denial of service.
    (CVE-2015-0286)

  - A flaw exists in the ASN1_item_ex_d2i() function due to     a failure to reinitialize 'CHOICE' and 'ADB' data     structures when reusing a structure in ASN.1 parsing.
    This allows a remote attacker to cause an invalid write     operation and memory corruption, resulting in a denial     of service. (CVE-2015-0287)

  - A NULL pointer dereference flaw exists in the     X509_to_X509_REQ() function due to improper processing     of certificate keys. This allows a remote attacker, via     a crafted X.509 certificate, to cause a denial of     service. (CVE-2015-0288)

  - A NULL pointer dereference flaw exists in the PKCS#7     parsing code due to incorrect handling of missing outer     ContentInfo. This allows a remote attacker, using an     application that processes arbitrary PKCS#7 data and     providing malformed data with ASN.1 encoding, to cause     a denial of service. (CVE-2015-0289)

  - A flaw exists with the 'multiblock' feature in the     ssl3_write_bytes() function due to improper handling of     certain non-blocking I/O cases. This allows a remote     attacker to cause failed connections or a segmentation     fault, resulting in a denial of service. (CVE-2015-0290)

  - A NULL pointer dereference flaw exists when handling     clients attempting to renegotiate using an invalid     signature algorithm extension. A remote attacker can     exploit this to cause a denial of service.
    (CVE-2015-0291)

  - An integer underflow condition exists in the     EVP_DecodeUpdate() function due to improper validation     of base64 encoded input when decoding. This allows a     remote attacker, using maliciously crafted base64 data,     to cause a segmentation fault or memory corruption,     resulting in a denial of service or possibly the     execution of arbitrary code. (CVE-2015-0292)

  - A flaw exists in servers that both support SSLv2 and     enable export cipher suites due to improper     implementation of SSLv2. A remote attacker can exploit     this, via a crafted CLIENT-MASTER-KEY message, to cause     a denial of service. (CVE-2015-0293)

  - A flaw exists in the ssl3_get_client_key_exchange()     function when client authentication and an ephemeral     Diffie-Hellman ciphersuite are enabled. This allows a     remote attacker, via a ClientKeyExchange message with a     length of zero, to cause a denial of service.
    (CVE-2015-1787)

  - A cross-site request forgery (XSRF) vulnerability exists     due to the lack of a unique token when performing     sensitive actions via HTTP requests. (CVE-2015-2134)

  - A use-after-free error exists in the function     phar_rename_archive() in file 'phar_object.c'. A remote     attacker, by attempting to rename a phar archive to an     already existing file name, can exploit this to cause     a denial of service. (CVE-2015-2301)

  - A use-after-free error exists related to function     'unserialize', which can allow a remote attacker to     execute arbitrary code. Note that this issue is due to     an incomplete fix for CVE-2014-8142. (CVE-2015-0231)

  - A filter bypass vulnerability exists due to a flaw in     the move_uploaded_file() function in which pathnames are     truncated when a NULL byte is encountered. This allows a     remote attacker, via a crafted second argument, to     bypass intended extension restrictions and create files     with unexpected names. (CVE-2015-2348)

  - A user-after-free error exists in the     process_nested_data() function. This allows a remote     attacker, via a crafted unserialize call, to dereference     already freed memory, resulting in the execution of     arbitrary code. (CVE-2015-2787)

Multiple vulnerabilities has been discovered and corrected in php :

It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943).

A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270).

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345).

PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185).

A flaw was found in the way file's Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238).

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515).

It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049).

A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).

The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721).

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698).

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670).

file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538).

Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE:
this vulnerability exists because of an incomplete fix for CVE-2012-1571 (CVE-2014-3587).

Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (CVE-2014-3597).

An integer overflow flaw in PHP's unserialize() function was reported.
If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089).

An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file.
This could possibly lead to file executable crash (CVE-2014-3710).

A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8142).

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425).

sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427).

Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231).

Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232).

The readelf.c source file has been removed from PHP's bundled copy of file's libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP's fileinfo module.

S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705).

Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273).

It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301).

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231).

The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (CVE-2015-0232).

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331).

It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351).

It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352).

PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to the libmagic issues.

The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw.

A bug in the php zip extension that could cause a crash has been fixed (mga#13820)

Additionally the jsonc and timezonedb packages has been upgraded to the latest versions and the PECL packages which requires so has been rebuilt for php-5.5.23.

The remote host is affected by the vulnerability described in GLSA-201503-03 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker can leverage these vulnerabilities to execute       arbitrary code or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

PHP versions 5.4.x prior to 5.4.37, 5.5.x prior to 5.5.21, and 5.6.x prior to 5.6.5 are exposed to the following issues:

  - The CGI component has an out-of-bounds read flaw in file 'cgi_main.c' when nmap is used to process an invalid file that begins with a hash character (#) but lacks a newline character. A remote attacker, using a specially crafted PHP file, can exploit this vulnerability to disclose memory contents, cause a denial of service, or possibly execute code. (Bug 68618 / CVE-2014-9427)

  - A use-after-free memory error exists in the function 'process_nested_data' within 'var_unserializer.re' due to the improper handling of duplicate numerical keys within the serialized properties of an object. A remote attacker, using a crafted unserialize method call, can exploit this vulnerability to execute arbitrary code. (Bug 68710 / CVE-2015-0231)

  - A flaw exists in function 'exif_process_unicode' within 'exif.c' that allows freeing an uninitialized pointer. A remote attacker, using specially crafted EXIF data in a JPEG image, can exploit this to cause a denial of service or to execute arbitrary code. (Bug 68799 / CVE-2015-0232)

  - An out-of-bounds read flaw exists in the 'fileinfo' extension of the 'src/softmagic.c' source file when handling certain Pascal strings. A remote attacker can exploit this issue to crash the affected application, denying service to legitimate users. (Bug 68735 / CVE-2014-9652)

php5 was updated to fix five security issues.

These security issues were fixed :

  - CVE-2015-0231: Use-after-free vulnerability in the     process_nested_data function in     ext/standard/var_unserializer.re in PHP before 5.4.37,     5.5.x before 5.5.21, and 5.6.x before 5.6.5 allowed     remote attackers to execute arbitrary code via a crafted     unserialize call that leverages improper handling of     duplicate numerical keys within the serialized     properties of an object. NOTE: this vulnerability exists     because of an incomplete fix for CVE-2014-8142     (bnc#910659).

  - CVE-2015-0232: The exif_process_unicode function in     ext/exif/exif.c in PHP before 5.4.37, 5.5.x before     5.5.21, and 5.6.x before 5.6.5 allowed remote attackers     to execute arbitrary code or cause a denial of service     (uninitialized pointer free and application crash) via     crafted EXIF data in a JPEG image (bnc#914690).

  - CVE-2014-8142: Use-after-free vulnerability in the     process_nested_data function in     ext/standard/var_unserializer.re in PHP before 5.4.36,     5.5.x before 5.5.20, and 5.6.x before 5.6.4 allowed     remote attackers to execute arbitrary code via a crafted     unserialize call that leverages improper handling of     duplicate keys within the serialized properties of an     object, a different vulnerability than CVE-2004-1019     (bnc#910659).

  - CVE-2014-9427: sapi/cgi/cgi_main.c in the CGI component     in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x     through 5.6.4, when mmap was used to read a .php file,     did not properly consider the mapping's length during     processing of an invalid file that begins with a #     character and lacks a newline character, which caused an     out-of-bounds read and might (1) allowed remote     attackers to obtain sensitive information from php-cgi     process memory by leveraging the ability to upload a     .php file or (2) trigger unexpected code execution if a     valid PHP script is present in memory locations adjacent     to the mapping (bnc#911664).

For openSUSE 13.2 this additional security issue was fixed :

  - CVE-2014-9426: The apprentice_load function in     libmagic/apprentice.c in the Fileinfo component in PHP     through 5.6.4 attempted to perform a free operation on a     stack-based character array, which allowed remote     attackers to cause a denial of service (memory     corruption or application crash) or possibly have     unspecified other impact via unknown vectors     (bnc#911663).

Stefan Esser discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-8142, CVE-2015-0231)

Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. A local attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)

It was discovered that PHP incorrectly handled certain pascal strings in the fileinfo extension. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9652)

Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0232)

It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1351)

It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1352).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. (CVE-2014-9427)

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 . (CVE-2015-0231)

The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. (CVE-2015-0232)

Multiple vulnerabilities have been discovered and corrected in php :

sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427).

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231).

The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (CVE-2015-0232).

The updated php packages have been upgraded to the 5.5.21 version which is not vulnerable to these issues.

Additionally, the timezonedb package has been upgraded to the latest 2015.1 version, the php-suhosin package has been upgraded to the latest 0.9.37.1 and the PECL packages which requires so has been rebuilt for php-5.5.21.

22 Jan 2014, PHP 5.5.21

Core :

  - Upgraded crypt_blowfish to version 1.3. (Leigh)

    - Fixed bug #60704 (unlink() bug with some files path).

    - Fixed bug #65419 (Inside trait, self::class !=
      __CLASS__). (Julien)

    - Fixed bug #65576 (Constructor from trait conflicts       with inherited constructor). (dunglas at gmail dot       com)

    - Fixed bug #55541 (errors spawn MessageBox, which       blocks test automation). (Anatol)

    - Fixed bug #68297 (Application Popup provides too few       information). (Anatol)

    - Fixed bug #65769 (localeconv() broken in TS builds).
      (Anatol)

    - Fixed bug #65230 (setting locale randomly broken).
      (Anatol)

    - Fixed bug #66764 (configure doesn't define       EXPANDED_DATADIR / PHP_DATADIR correctly). (Ferenc)

    - Fixed bug #68583 (Crash in timeout thread). (Anatol)

    - Fixed bug #68676 (Explicit Double Free). (Kalle)

    - Fixed bug #68710 (Use After Free Vulnerability in       PHP's unserialize()). (CVE-2015-0231) (Stefan Esser)

CGI :

  - Fixed bug #68618 (out of bounds read crashes     php-cgi).(CVE-2014-9427) (Stas)

CLI server :

  - Fixed bug #68745 (Invalid HTTP requests make web server     segfault). (Adam)

cURL :

  - Fixed bug #67643 (curl_multi_getcontent returns ' when     CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)

EXIF :

  - Fixed bug #68799: Free called on uninitialized pointer.
    (CVE-2015-0232) (Stas)

Fileinfo :

  - Fixed bug #68671 (incorrect expression in libmagic).
    (Joshua Rogers, Anatol Belski)

    - Removed readelf.c and related code from libmagic       sources (Remi, Anatol)

    - Fixed bug #68735 (fileinfo out-of-bounds memory       access). (Anatol)

FPM :

  - Fixed bug #68751 (listen.allowed_clients is broken).
    (Remi)

GD :

  - Fixed bug #68601 (buffer read overflow in gd_gif_in.c).
    (Jan Bee, Remi)

Mbstring :

  - Fixed bug #68504 (--with-libmbfl configure option not     present on Windows). (Ashesh Vashi)

Mcrypt :

  - Fixed possible read after end of buffer and use after     free. (Dmitry)

Opcache :

  - Fixed bug #67111 (Memory leak when using 'continue 2'     inside two foreach loops). (Nikita)

OpenSSL :

  - Fixed bug #55618 (use case-insensitive cert name     matching). (Daniel Lowrey)

Pcntl :

  - Fixed bug #60509 (pcntl_signal doesn't decrease     ref-count of old handler when setting SIG_DFL). (Julien)

PCRE :

  - Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
    (Rainer Jung, Anatol Belski)

pgsql :

  - Fixed bug #68697 (lo_export return -1 on failure).
    (Ondrej Sury)

PDO :

  - Fixed bug #68371 (PDO#getAttribute() cannot be called     with platform-specific attribute names). (Matteo)

PDO_mysql :

  - Fixed bug #68424 (Add new PDO mysql connection attr to     control multi statements option). (peter dot wolanin at     acquia dot com)

SPL :

  - Fixed bug #66405     (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks     the RecursiveIterator). (Paul Garvin)

    - Fixed bug #65213 (cannot cast SplFileInfo to boolean)       (Tjerk)

    - Fixed bug #68479 (Added escape parameter to       SplFileObject::fputcsv). (Salathe)

SQLite :

  - Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
    (Anatol)

Streams :

  - Fixed bug #68532 (convert.base64-encode omits padding     bytes). (blaesius at krumedia dot de)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

22 Jan 2015, PHP 5.6.5

Core :

  - Upgraded crypt_blowfish to version 1.3. (Leigh)

    - Fixed bug #60704 (unlink() bug with some files path).

    - Fixed bug #65419 (Inside trait, self::class !=
      __CLASS__). (Julien)

    - Fixed bug #68536 (pack for 64bits integer is broken on       bigendian). (Remi)

    - Fixed bug #55541 (errors spawn MessageBox, which       blocks test automation). (Anatol)

    - Fixed bug #68297 (Application Popup provides too few       information). (Anatol)

    - Fixed bug #65769 (localeconv() broken in TS builds).
      (Anatol)

    - Fixed bug #65230 (setting locale randomly broken).
      (Anatol)

    - Fixed bug #66764 (configure doesn't define       EXPANDED_DATADIR / PHP_DATADIR correctly). (Ferenc)

    - Fixed bug #68583 (Crash in timeout thread). (Anatol)

    - Fixed bug #65576 (Constructor from trait conflicts       with inherited constructor). (dunglas at gmail dot       com)

    - Fixed bug #68676 (Explicit Double Free). (Kalle)

    - Fixed bug #68710 (Use After Free Vulnerability in       PHP's unserialize()). (CVE-2015-0231) (Stefan Esser)

CGI :

  - Fixed bug #68618 (out of bounds read crashes php-cgi).
    (CVE-2014-9427) (Stas)

CLI server :

  - Fixed bug #68745 (Invalid HTTP requests make web server     segfault). (Adam)

cURL :

  - Fixed bug #67643 (curl_multi_getcontent returns ' when     CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans)

Date :

  - Implemented FR #68268 (DatePeriod: Getter for start     date, end date and interval). (Marc Bennewitz)

EXIF :

  - Fixed bug #68799: Free called on uninitialized pointer.
    (CVE-2015-0232) (Stas)

Fileinfo :

  - Fixed bug #68398 (msooxml matches too many archives).
    (Anatol)

    - Fixed bug #68665 (invalid free in libmagic). (Joshua       Rogers, Anatol Belski)

    - Fixed bug #68671 (incorrect expression in libmagic).
      (Joshua Rogers, Anatol Belski)

    - Removed readelf.c and related code from libmagic       sources (Remi, Anatol)

    - Fixed bug #68735 (fileinfo out-of-bounds memory       access). (Anatol)

FPM :

  - Fixed request #68526 (Implement POSIX Access Control     List for UDS). (Remi)

    - Fixed bug #68751 (listen.allowed_clients is broken).
      (Remi)

GD :

  - Fixed bug #68601 (buffer read overflow in gd_gif_in.c).
    (Jan Bee, Remi)

    - Fixed request #68656 (Report gd library version).
      (Remi)

mbstring :

  - Fixed bug #68504 (--with-libmbfl configure option not     present on Windows). (Ashesh Vashi)

Opcache :

  - Fixed bug #68644 (strlen incorrect : mbstring +     func_overload=2 +UTF-8 + Opcache). (Laruence)

    - Fixed bug #67111 (Memory leak when using 'continue 2'       inside two foreach loops). (Nikita)

OpenSSL :

  - Improved handling of OPENSSL_KEYTYPE_EC keys. (Dominic     Luechinger)

pcntl :

  - Fixed bug #60509 (pcntl_signal doesn't decrease     ref-count of old handler when setting SIG_DFL). (Julien)

PCRE :

  - Fixed bug #66679 (Alignment Bug in PCRE 8.34 upstream).
    (Rainer Jung, Anatol Belski)

pgsql :

  - Fixed bug #68697 (lo_export return -1 on failure).
    (Ondrej Sury)

PDO :

  - Fixed bug #68371 (PDO#getAttribute() cannot be called     with platform-specifi attribute names). (Matteo)

PDO_mysql :

  - Fixed bug #68424 (Add new PDO mysql connection attr to     control multi statements option). (peter dot wolanin at     acquia dot com)

SPL :

  - Fixed bug #66405     (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME breaks     the RecursiveIterator). (Paul Garvin)

    - Fixed bug #68479 (Added escape parameter to       SplFileObject::fputcsv). (Salathe)

SQLite :

  - Fixed bug #68120 (Update bundled libsqlite to 3.8.7.2).
    (Anatol)

Streams :

  - Fixed bug #68532 (convert.base64-encode omits padding     bytes). (blaesius at krumedia dot de)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.5. It is, therefore, affected by multiple vulnerabilities:

  - A double free vulnerability in the     zend_ts_hash_graceful_destroy function in     zend_ts_hash.c in the Zend Engine could allow a remote     attacker to cause a denial of service. (CVE-2014-9425)

  - An out-of-bounds read flaw in file 'cgi_main.c' exists     when nmap is used to process an invalid file that begins     with a hash character (#) but lacks a newline character.
    A remote attacker, using a specially crafted PHP file,     can exploit this vulnerability to disclose memory     contents, cause a denial of service, or possibly execute     code. (CVE-2014-9427)

  - The mconvert function in softmagic.c does not properly     handle a certain string-length field during a copy of a     truncated version of a Pascal string, which could allow     a remote attacker to cause a denial of service.
    (CVE-2014-9652)

  - An out-of-bounds read issue exists in the GetCode_()     function in 'gd_gif_in.c'. This allows a remote attacker     to disclose memory contents. (CVE-2014-9709)

  - A use-after-free memory error exists in the     process_nested_data() function in 'var_unserializer.re'     due to improper handling of duplicate numerical keys     within the serialized properties of an object. A remote     attacker, using a crafted unserialize method call, can     exploit this vulnerability to execute arbitrary code.
    (CVE-2015-0231)

  - A flaw exists in the exif_process_unicode() function in     'exif.c' that allows freeing an uninitialized pointer. A     remote attacker, using specially crafted EXIF data in a     JPEG image, can exploit this to cause a denial of     service or to execute arbitrary code. (CVE-2015-0232)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.21. It is, therefore, affected by multiple vulnerabilities:

  - A double free vulnerability in the     zend_ts_hash_graceful_destroy function in     zend_ts_hash.c in the Zend Engine could allow a remote     attacker to cause a denial of service. (CVE-2014-9425)

  - An out-of-bounds read flaw in file 'cgi_main.c' exists     when nmap is used to process an invalid file that begins     with a hash character (#) but lacks a newline character.
    A remote attacker, using a specially crafted PHP file,     can exploit this vulnerability to disclose memory     contents, cause a denial of service, or possibly execute     code. (CVE-2014-9427)

  - The mconvert function in softmagic.c does not properly     handle a certain string-length field during a copy of a     truncated version of a Pascal string, which could allow     a remote attacker to cause a denial of service.
    (CVE-2014-9652)

  - An out-of-bounds read issue exists in the GetCode_()     function in 'gd_gif_in.c'. This allows a remote attacker     to disclose memory contents. (CVE-2014-9709)

  - A use-after-free memory error exists in the     process_nested_data() function in 'var_unserializer.re'     due to improper handling of duplicate numerical keys     within the serialized properties of an object. A remote     attacker, using a crafted unserialize method call, can     exploit this vulnerability to execute arbitrary code.
    (CVE-2015-0231)

  - A flaw exists in the exif_process_unicode() function in     'exif.c' that allows freeing an uninitialized pointer. A     remote attacker, using specially crafted EXIF data in a     JPEG image, can exploit this to cause a denial of     service or to execute arbitrary code. (CVE-2015-0232)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.37. It is, therefore, affected by multiple vulnerabilities:

  - The CGI component has an out-of-bounds read flaw in file     'cgi_main.c' when nmap is used to process an invalid     file that begins with a hash character (#) but lacks a     newline character. A remote attacker, using a specially     crafted PHP file, can exploit this vulnerability to     disclose memory contents, cause a denial of service, or     possibly execute code. (CVE-2014-9427)

  - A use-after-free memory error exists in the function     'process_nested_data' within 'var_unserializer.re' due     to the improper handling of duplicate numerical keys     within the serialized properties of an object. A remote     attacker, using a crafted unserialize method call, can     exploit this vulnerability to execute arbitrary code.
    (CVE-2015-0231)

  - A flaw exists in function 'exif_process_unicode' within     'exif.c' that allows freeing an uninitialized pointer. A     remote attacker, using specially crafted EXIF data in a     JPEG image, can exploit this to cause a denial of     service or to execute arbitrary code. (CVE-2015-0232)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193682	RHEL 6 / 7 : php54 (RHSA-2015:1066)	Nessus	Red Hat Local Security Checks	critical
181066	Oracle Linux 6 / 7 : php54 (ELSA-2015-1066)	Nessus	Oracle Linux Local Security Checks	critical
181035	Oracle Linux 6 / 7 : php55 (ELSA-2015-1053)	Nessus	Oracle Linux Local Security Checks	critical
124997	EulerOS Virtualization 3.0.1.0 : php (EulerOS-SA-2019-1544)	Nessus	Huawei Local Security Checks	critical
98828	PHP 5.6.x < 5.6.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
119961	SUSE SLES12 Security Update : php5 (SUSE-SU-2015:0365-1)	Nessus	SuSE Local Security Checks	critical
8982	Mac OS X < 10.11 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
86270	Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)	Nessus	MacOS X Local Security Checks	critical
84923	HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK)	Nessus	Web Servers	high
82333	Mandriva Linux Security Advisory : php (MDVSA-2015:080)	Nessus	Mandriva Local Security Checks	high
81688	GLSA-201503-03 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
8615	PHP 5.4.x < 5.4.37 / 5.5.x < 5.5.21 / 5.6.x < 5.6.5 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
81418	openSUSE Security Update : php5 (openSUSE-2015-163)	Nessus	SuSE Local Security Checks	critical
81399	Ubuntu 14.04 LTS : PHP vulnerabilities (USN-2501-1)	Nessus	Ubuntu Local Security Checks	critical
81321	Amazon Linux AMI : php54 (ALAS-2015-475)	Nessus	Amazon Linux Local Security Checks	high
81320	Amazon Linux AMI : php55 (ALAS-2015-474)	Nessus	Amazon Linux Local Security Checks	high
81198	Mandriva Linux Security Advisory : php (MDVSA-2015:032)	Nessus	Mandriva Local Security Checks	high
81191	Fedora 20 : php-5.5.21-1.fc20 (2015-1101)	Nessus	Fedora Local Security Checks	high
81190	Fedora 21 : php-5.6.5-1.fc21 (2015-1058)	Nessus	Fedora Local Security Checks	high
81082	PHP 5.6.x < 5.6.5 Multiple Vulnerabilities	Nessus	CGI abuses	critical
81081	PHP 5.5.x < 5.5.21 Multiple Vulnerabilities	Nessus	CGI abuses	critical
81080	PHP 5.4.x < 5.4.37 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2014-9427

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

high

high

high

high

critical

critical

high

high

high

high

high

critical

critical

high