Pivotal + VMware: Transforming how more of the world builds software

All Vulnerability Reports

USN-2935-2 PAM regression


Severity

Low

Vendor

Ubuntu

Versions Affected
  • Ubuntu 14.04 LTS
Description

USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. USN-2935-2 fixes the problem.

Original issues from USN-2935-1:

It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041)

Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly performed filtering. A local attacker could use this issue to create arbitrary files, or possibly bypass authentication. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583)

Sebastien Macke discovered that the PAM pam_unix module incorrectly handled large passwords. A local attacker could possibly use this issue in certain environments to enumerate usernames or cause a denial of service. (CVE-2015-3238)

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • All versions of Cloud Foundry rootfs prior to 1.45.0
  • Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.11 AND other versions prior to 3215.4 are vulnerable
  • Pivotal Redis 1.4.x versions prior to 1.4.23 AND 1.5.x versions prior to 1.5.12
  • Pivotal RabbitMQ 1.4.x versions prior to 1.4.11 AND 1.5.x versions prior to 1.5.9
  • Pivotal Push Notification Service versions prior to 1.4.7
  • Pivotal Ops Metrics 1.6.x versions prior to 1.6.11 AND 1.7.x versions prior to 1.7.1
  • Pivotal Single Sign-On 1.0.x versions prior to 1.0.11 AND 1.1.x versions prior to 1.1.1
  • Pivotal Spring Cloud Services .x versions prior to .1 AND 1.0.x versions prior to 1.0.9
  • Pivotal MySQL 1.6.x versions prior to 1.6.10 AND 1.7.x versions prior to 1.7.7 AND edge release versions prior to 1.8.0-edge0.5
  • Pivotal Ops Manager 1.5.x versions prior to 1.5.18 AND 1.6.x versions prior to 1.6.13 AND 1.7.x versions prior to 1.7.1
  • Pivotal Elastic Runtime 1.5.x versions prior to 1.5.20 AND 1.6.x versions prior to 1.6.23 AND 1.7.x versions prior to 1.7.1
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.45.0 and higher
  • The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.11 OR other versions to 3232.2
  • Upgrade Pivotal Redis 1.4.x versions to 1.4.23 or later OR 1.5.x versions to 1.5.12 or later
  • Upgrade Pivotal RabbitMQ 1.4.x versions to 1.4.11 or later OR 1.5.x versions to 1.5.9 or later
  • Upgrade Pivotal Push Notification Service 1.4.x versions to 1.4.7 or later
  • Upgrade Pivotal Ops Metrics 1.6.x versions to 1.6.11 or later OR 1.7.x versions to 1.7.1 or later
  • Upgrade Pivotal Single Sign-On 1.0.x versions to 1.0.11 or later OR 1.1.x versions to 1.1.1 or later
  • Upgrade Pivotal Spring Cloud Services .x versions to .1 or later OR 1.0.x versions to 1.0.9 or later
  • Upgrade Pivotal MySQL to 1.6.10 or later 1.6.x versions OR 1.7.x versions to 1.7.7 or later OR edge versions 1.8.0-edge.5 or later
  • Upgrade Pivotal Ops Manager 1.5.x versions to 1.5.18 or later OR 1.6.x versions to 1.6.13 or later OR 1.7.x versions to 1.7.1 or later
  • Upgrade Pivotal Elastic Runtime 1.5.x versions to 1.5.20 or later OR 1.6.x versions to 1.6.23 or later OR 1.7.x versions to 1.7.1 or later
Credit

Sebastian Krahmer, Sebastien Macke

References
Contact us