USN-2916-1 Perl vulnerabilities


Severity

Medium

Vendor

Ubuntu, Perl

Versions Affected
  • Ubuntu 14.04 LTS
Description

Several security issues were fixed in Perl.

It was discovered that Perl incorrectly handled certain regular expressions with an invalid back-reference. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-7422)

Markus Vervier discovered that Perl incorrectly handled nesting in the Data::Dumper module. An attacker could use this issue to cause Perl to consume memory and crash, resulting in a denial of service. (CVE-2014-4330)

Stephane Chazelas discovered that Perl incorrectly handled duplicate environment variables. An attacker could possibly use this issue to bypass the taint protection mechanism. (CVE-2016-2381)

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • All versions of Cloud Foundry rootfs prior to 1.40.0 AND stemcell 3146.x versions prior to 3146.10 AND all other stemcell versions prior to 3213
  • Pivotal Redis 1.4.x versions prior to 1.4.21 AND 1.5.x versions prior to 1.5.10
  • Pivotal Ops Manager 1.5.x versions prior to 1.5.17 AND 1.6.x versions prior to 1.6.12
  • Pivotal Elastic Runtime 1.5.x versions prior to 1.5.17 AND 1.6.x versions prior to 1.6.18
  • Pivotal RabbitMQ 1.5.x versions prior to 1.5.8
  • Pivotal Push Notification Service 1.4.x versions prior to 1.4.3
  • Pivotal Ops Metrics 1.6.x versions prior to 1.6.10
  • Pivotal Single Sign On 1.0.x versions prior to 1.0.10
  • Pivotal Spring Cloud Services 1.0.x versions prior to 1.0.7
  • Pivotal MySQL 1.6.x versions prior to 1.6.9 AND 1.7.x versions prior to 1.7.6 AND edge release versions prior to 1.8.0-edge.3
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments upgrade rootfs to version 1.40.0 or later
  • The Cloud Foundry project recommends that Cloud Foundry deployments upgrade stemcell versions 3146.x to 3146.10 or later OR all other stemcell versions to 3213 or later
  • Upgrade Pivotal Redis 1.4.x versions to 1.4.21 or later OR 1.5.x versions to 1.5.10 or later
  • Upgrade Pivotal Ops Manager 1.5.x versions to 1.5.17 or later OR 1.6.x versions to 1.6.12 or later
  • Upgrade Pivotal Elastic Runtime 1.5.x versions to 1.5.17 or later OR 1.6.x versions to 1.6.18 or later
  • Upgrade Pivotal RabbitMQ 1.5.x versions to 1.5.8 or later
  • Upgrade Pivotal Push Notification Service 1.4.x versions to 1.4.3 or later
  • Upgrade Pivotal Ops Metrics 1.6.x versions to 1.6.10 or later
  • Upgrade Pivotal Single Sign On 1.0.x versions to 1.0.10 or later
  • Upgrade Pivotal Spring Cloud Services 1.0.x versions to 1.0.7 or later
  • Upgrade Pivotal MySQL to 1.6.9 or later 1.6.x versions OR 1.7.x versions to 1.7.6 or later OR edge versions 1.8.0-edge.3 or later
Credit

Markus Vervier, Stephane Chazelas

References