Security Advisory Description
Description
- CVE-2014-3981
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.
- CVE-2014-4049
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
- CVE-2014-0207
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
- CVE-2014-3478
Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
- CVE-2014-3479
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
- CVE-2014-3480
The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
- CVE-2014-3487
The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
- CVE-2014-3515
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to “type confusion” issues in (1) ArrayObject and (2) SPLObjectStorage.
Impact
None. F5 products are not affected by this vulnerability.
Status
F5 Product Development has evaluated the currently supported releases for potential vulnerability.
To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:
Product |
Versions known to be vulnerable |
Versions known to be not vulnerable |
Vulnerable component or feature |
BIG-IP LTM |
None |
|
|
11.0.0 - 11.5.1 |
|
|
|
10.0.0 - 10.2.4 |
|
|
|
None |
|
|
|
BIG-IP AAM |
None |
11.4.0 - 11.5.1 |
None |
BIG-IP AFM |
None |
11.3.0 - 11.5.1 |
None |
BIG-IP Analytics |
None |
11.0.0 - 11.5.1 |
None |
BIG-IP APM |
None |
11.0.0 - 11.5.1 |
|
10.1.0 - 10.2.4 |
None |
|
|
BIG-IP ASM |
None |
11.0.0 - 11.5.1 |
|
10.0.0 - 10.2.4 |
None |
|
|
BIG-IP Edge Gateway |
|
|
|
None |
11.0.0 - 11.3.0 |
|
|
10.1.0 - 10.2.4 |
None |
|
|
BIG-IP GTM |
None |
11.0.0 - 11.5.1 |
|
10.0.0 - 10.2.4 |
None |
|
|
BIG-IP Link Controller |
None |
|
|
11.0.0 - 11.5.1 |
|
|
|
10.0.0 - 10.2.4 |
|
|
|
None |
|
|
|
BIG-IP PEM |
None |
|
|
11.3.0 - 11.5.1 |
|
|
|
None |
|
|
|
BIG-IP PSM |
None |
11.0.0 - 11.4.1 |
|
10.0.0 - 10.2.4 |
None |
|
|
BIG-IP WebAccelerator |
None |
11.0.0 - 11.3.0 |
|
10.0.0 - 10.2.4 |
None |
|
|
BIG-IP WOM |
None |
11.0.0 - 11.3.0 |
|
10.0.0 - 10.2.4 |
None |
|
|
ARX |
None |
6.1.1 - 6.4.0 |
|
5.0.0 - 5.3.1 |
|
|
|
None |
|
|
|
Enterprise Manager |
None |
3.0.0 - 3.1.1 |
|
2.1.0 - 2.3.0 |
None |
|
|
FirePass |
None |
7.0.0 |
|
6.0.0 - 6.1.0 |
None |
|
|
BIG-IQ Cloud |
None |
|
|
4.0.0 - 4.3.0 |
|
|
|
None |
|
|
|
BIG-IQ Device |
None |
4.2.0 - 4.3.0 |
None |
BIG-IQ Security |
None |
|
|
4.0.0 - 4.3.0 |
|
|
|
None |
|
|
|
LineRate |
None |
2.2.0 - 2.4.0 |
|
1.6.0 |
None |
|
|
Recommended Action
None
Supplemental Information