USN-3068-1 Libidn vulnerabilities


Severity

Medium

Vendor

Canonical Ubuntu, libidn

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

Thijs Alkemade, Gustavo Grieco, Daniel Stenberg, and Nikos Mavrogiannopoulos discovered that Libidn incorrectly handled invalid UTF-8 characters. A remote attacker could use this issue to cause Libidn to crash, resulting in a denial of service, or possibly disclose sensitive memory. (CVE-2015-2059)

Hanno Böck discovered that Libidn incorrectly handled certain input. A remote attacker could possibly use this issue to cause Libidn to crash, resulting in a denial of service. (CVE-2015-8948, CVE-2016-6262, CVE-2016-6261, CVE-2016-6263)

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.21 AND 3232.x versions prior to 3232.19 AND other versions prior to 3262.12 are vulnerable
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.78.0
  • PCF Ops Manager versions prior to 1.6.22 and 1.7.x versions prior to 1.7.14 and 1.8.x versions prior to 1.8.3
  • PCF Elastic Runtime versions prior to 1.6.41 and 1.7.x versions prior to 1.7.23 and 1.8.x versions prior to 1.8.3
  • MySQL for PCF versions prior to 1.6.16 and 1.7.x versions prior to 1.7.14
  • RabbitMQ for PCF versions prior to 1.5.15 and 1.6.x versions prior to 1.6.7
  • Redis for PCF versions prior to 1.4.30 and 1.5.x versions prior to 1.5.20
  • PCF Metrics versions prior to 1.0.14 and 1.1.x versions prior to 1.1.0
  • PCF JMX Bridge (Ops Metrics) versions prior to 1.4.24 and 1.6.x versions prior to 1.6.18 and 1.7.x versions prior to 1.7.0
  • PCF Log Search versions prior to 1.0.0
  • Spring Cloud Services for PCF versions prior to 1.0.13 and 1.1.x versions prior to 1.1.4
  • Single Sign-On for PCF versions prior to 1.0.17
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team has released patched BOSH stemcells 3146.21 and 3232.19 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.21 OR 3232.x versions to 3232.19
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.78.0 or later versions
  • Upgrade PCF Ops Manager to 1.6.22 or 1.7.x versions to 1.7.14 or 1.8.x versions to 1.8.3
  • Upgrade PCF Elastic Runtime to 1.6.41 or 1.7.x versions to 1.7.23 or 1.8.x versions to 1.8.3
  • Upgrade MySQL for PCF to 1.6.16 or 1.7.x versions to 1.7.14
  • Upgrade RabbitMQ for PCF to version 1.5.15 or 1.6.x versions to 1.6.7
  • Upgrade Redis for PCF to version 1.4.30 or 1.5.x versions to 1.5.20
  • Upgrade PCF Metrics to 1.0.14 or 1.1.x versions to 1.1.0
  • PCF JMX Bridge (Ops Metrics) to 1.4.24 or 1.6.x versions to 1.6.18 or 1.7.x versions to 1.7.0
  • Upgrade PCF Log Search to version 1.0.0
  • Upgrade Spring Cloud Services for PCF to 1.0.13 or 1.1.x versions to 1.1.4
  • Upgrade Single Sign-On for PCF to 1.0.17

Special Note for 1.7.x Ops Manager Deployments

The 1.7.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.

Credit

Thijs Alkemade, Hanno Böck, Gustavo Grieco, Nikos Mavrogiannopoulos, and Daniel Stenberg

References