CVE-2014-7186 and CVE-2014-7187


Severity

Moderate

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 10.04 LTS and 14.04 LTS that include bash through 4.3 bash43-026
Description

Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the 'word_lineno' issue.

The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the 'redir_stack' issue.

The Cloud Foundry project is unaware of vulnerable versions of bash potentially allowing a denial of service remotely. No exploits have been identified or confirmed yet.

Pivotal is unaware of vulnerable versions of bash potentially allowing a denial of service remotely to Pivotal CF. No exploits have been identified or confirmed yet.

Affected Pivotal Products and Versions

Severity is moderate unless otherwise noted.

  • All versions of Cloud Foundry BOSH stemcells prior to 2719.2 and prior have bash executables vulnerable to CVE-2014-7186 and CVE-2014-7187.
  • All versions of Cloud Foundry runtime v187 and prior have bash executables vulnerable to CVE-2014-7186 and CVE-2014-7187.
  • Pivotal CF and Pivotal Operations Manager 1.0.0.0 to 1.3.1.0
  • All Pivotal CF Services 1.3.0.0 and prior
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v187 or earlier upgrade to v188 or later and BOSH stemcells 2719.3 or later when they are available, which are planned to contain the patched version of bash that resolves CVE-2014-7186 and CVE-2014-7187.
  • The Pivotal CF team is actively working on patch releases to Elastic Runtime and Operations Manager that resolve this vulnerabilities for CVE-2014-7186 and CVE-2014-7187. This notice will be updated when the patch is available at which time Pivotal recommends that customers upgrade to the version of Pivotal CF, which contains the 2690.3 stemcell and cf-release version 183.3, which is expected to contain the fix to the bash vulnerability for CVE-2014-7186 and CVE-2014-7187. The Pivotal CF builds with the patch are still being packaged. This notice will be updated when the patched Pivotal CF builds are available on Pivotal Network.
Credit

Florian Weimer and Todd Sabin

References
History

2014-Sep-29: Initial vulnerability report published.