CVE-2015-0282 Multiple GnuTLS Vulnerabilities


Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 10.04 LTS and 14.04 LTS
Description

Several security issues were fixed in GnuTLS. This issue only affects versions of GnuTLS prior to 3.1.0 (released in 2012). These versions don't verify the RSA PKCS #1 signature algorithm to match the signature algorithm in the certificate, leading to a potential downgrade to a disallowed algorithm, such as MD5, without detecting it.

Pivotal is aware of vulnerable versions of the GnuTLS packages but has determined that Cloud Foundry products are not likely to be affected by this vulnerability.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • The Cloud Foundry team is expecting to release a patched BOSH stemcell and Elastic Runtime release with an upgraded GnuTLS packages.
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team has determined that the project software is unlikely to be affected by the GnuTLS vulnerability and therefore do not require immediate updates. A future release of Cloud Foundry will update GnuTLS with the patched packages.
  • The Pivotal CF team has determined that Pivotal CF products, such as Pivotal Operations Manager and Pivotal Elastic Runtime, are unlikely to be affected by the GnuTLS vulnerability and therefore do not require immediate updates. A future release of Pivotal Cloud Foundry will update GnuTLS with the patched packages.
Credit

Nikos Mavrogiannopoulos

References