CVE-2015-1330 Unattended-Upgrades Vulnerability


Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

It was found that for some configurations, unattended-upgrades would not properly perform authentication checks on packages prior to installation. An attacker could thus trick unattended-upgrades into installing altered packages.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Any Cloud Foundry deployment with Ubuntu Trusty BOSH stemcells 3003 and prior.
  • Pivotal Cloud Foundry Elastic Runtime 1.4.5 and prior.
Mitigation

Users of affected versions should apply the following mitigation:

  • BOSH stemcell 3004 contains the patched version of unattended-upgrades that resolves CVE-2015-1330. The Cloud Foundry team recommends upgrading to BOSH stemcell 3004 or higher to address this concern.
  • Pivotal Cloud Foundry Elastic Runtime will incorporate the patched version of unattended-upgrades in the next regularly-scheduled patch release of Pivotal Cloud Foundry Elastic Runtime, currently planned for 8/4/15.
Credit

Canonical Ubuntu

References