USN-2935-2 PAM regression


Severity

Low

Vendor

Ubuntu

Versions Affected
  • Ubuntu 14.04 LTS
Description

USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. USN-2935-2 fixes the problem.

Original issues from USN-2935-1:

It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041)

Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly performed filtering. A local attacker could use this issue to create arbitrary files, or possibly bypass authentication. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583)

Sebastien Macke discovered that the PAM pam_unix module incorrectly handled large passwords. A local attacker could possibly use this issue in certain environments to enumerate usernames or cause a denial of service. (CVE-2015-3238)

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • All versions of Cloud Foundry rootfs prior to 1.45.0
  • Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.11 AND other versions prior to 3215.4 are vulnerable
  • Pivotal Redis 1.4.x versions prior to 1.4.23 AND 1.5.x versions prior to 1.5.12
  • Pivotal RabbitMQ 1.4.x versions prior to 1.4.11 AND 1.5.x versions prior to 1.5.9
  • Pivotal Push Notification Service versions prior to 1.4.7
  • Pivotal Ops Metrics 1.6.x versions prior to 1.6.11 AND 1.7.x versions prior to 1.7.1
  • Pivotal Single Sign-On 1.0.x versions prior to 1.0.11 AND 1.1.x versions prior to 1.1.1
  • Pivotal Spring Cloud Services .x versions prior to .1 AND 1.0.x versions prior to 1.0.9
  • Pivotal MySQL 1.6.x versions prior to 1.6.10 AND 1.7.x versions prior to 1.7.7 AND edge release versions prior to 1.8.0-edge0.5
  • Pivotal Ops Manager 1.5.x versions prior to 1.5.18 AND 1.6.x versions prior to 1.6.13 AND 1.7.x versions prior to 1.7.1
  • Pivotal Elastic Runtime 1.5.x versions prior to 1.5.20 AND 1.6.x versions prior to 1.6.23 AND 1.7.x versions prior to 1.7.1
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.45.0 and higher
  • The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.11 OR other versions to 3232.2
  • Upgrade Pivotal Redis 1.4.x versions to 1.4.23 or later OR 1.5.x versions to 1.5.12 or later
  • Upgrade Pivotal RabbitMQ 1.4.x versions to 1.4.11 or later OR 1.5.x versions to 1.5.9 or later
  • Upgrade Pivotal Push Notification Service 1.4.x versions to 1.4.7 or later
  • Upgrade Pivotal Ops Metrics 1.6.x versions to 1.6.11 or later OR 1.7.x versions to 1.7.1 or later
  • Upgrade Pivotal Single Sign-On 1.0.x versions to 1.0.11 or later OR 1.1.x versions to 1.1.1 or later
  • Upgrade Pivotal Spring Cloud Services .x versions to .1 or later OR 1.0.x versions to 1.0.9 or later
  • Upgrade Pivotal MySQL to 1.6.10 or later 1.6.x versions OR 1.7.x versions to 1.7.7 or later OR edge versions 1.8.0-edge.5 or later
  • Upgrade Pivotal Ops Manager 1.5.x versions to 1.5.18 or later OR 1.6.x versions to 1.6.13 or later OR 1.7.x versions to 1.7.1 or later
  • Upgrade Pivotal Elastic Runtime 1.5.x versions to 1.5.20 or later OR 1.6.x versions to 1.6.23 or later OR 1.7.x versions to 1.7.1 or later
Credit

Sebastian Krahmer, Sebastien Macke

References