spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data. (CVE-2016-5771)
Impact
BIG-IP and BIG-IQ
The vulnerable code exists and may be exposed through customer customization. However, these systems are not vulnerable in the default, standard, or recommended configuration.
Enterprise Manager
The vulnerability can allow unauthorized disclosure of information, unauthorized modification, or disruption of service.
F5 WebSafe Alert Server
The impact is currently unknown. F5 is still researching the issue and will update this article when the information has been confirmed. F5 Technical Support has no additional information about this issue.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.5.4 | |
big-ip afm | eq | 11.5.5 | |
big-ip afm | eq | 11.5.6 | |
big-ip afm | eq | 11.6.0 |