USN-2756-1 rpcbind Vulnerability


Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

rpcbind could be made to crash or run programs if it received specially crafted network traffic. It was discovered that rpcbind incorrectly handled certain memory structures. A remote attacker could use this issue to cause rpcbind to crash, resulting in a denial of service, or possibly execute arbitrary code.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVE.
  • Products in the PCF Suite which reference BOSH stemcell v3093 or earlier are vulnerable to the aforementioned CVE:
    • Ops Manager v1.5.6 or earlier
    • Elastic Runtime v1.5.5 or earlier
    • MySQL for Pivotal Cloud Foundry v1.6.2 or earlier
    • Session State Caching Powered by Pivotal Gemfire v1.0.2 or earlier
    • RabbitMQ for Pivotal Cloud Foundry v1.4.4 or earlier
    • Redis for Pivotal Cloud Foundry v1.4.8 or earlier
Mitigation

Users of affected versions should apply the following mitigation:

Credit

Unknown

References