USN-3083-1 Linux kernel vulnerabilities


Severity

High

Vendor

Canonical Ubuntu

Versions Affected
  • Canonical Ubuntu 14.04 LTS
Description

Dmitry Vyukov discovered that the IPv6 implementation in the Linux kernel did not properly handle options data, including a use-after-free. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2016-3841)

It was discovered that a race condition existed when handling heartbeat-timeout events in the SCTP implementation of the Linux kernel. A remote attacker could use this to cause a denial of service. (CVE-2015-8767)

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Cloud Foundry BOSH stemcells (using the 3.19 kernel) are vulnerable, including:
    • 3146.x versions prior to 3146.22
    • 3232.x versions prior to 3232.20
    • Other versions prior to 3262.15
  • PCF Ops Manager versions prior to 1.6.22 and 1.7.x versions prior to 1.7.14 and 1.8.x versions prior to 1.8.3
  • PCF Elastic Runtime versions prior to 1.6.41 and 1.7.x versions prior to 1.7.23 and 1.8.x versions prior to 1.8.3
  • MySQL for PCF versions prior to 1.6.16 and 1.7.x versions prior to 1.7.14
  • RabbitMQ for PCF versions prior to 1.5.15 and 1.6.x versions prior to 1.6.7
  • Redis for PCF versions prior to 1.4.30 and 1.5.x versions prior to 1.5.20
  • PCF Metrics versions prior to 1.0.14 and 1.1.x versions prior to 1.1.0
  • PCF JMX Bridge (Ops Metrics) versions prior to 1.4.24 and 1.6.x versions prior to 1.6.18 and 1.7.x versions prior to 1.7.0
  • PCF Log Search versions prior to 1.0.0
  • Spring Cloud Services for PCF versions prior to 1.0.13 and 1.1.x versions prior to 1.1.4
  • Single Sign-On for PCF versions prior to 1.0.17
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team has released patched BOSH stemcells 3146.22, 3232.20, and 3262.15 with an upgraded 3.19 Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.22 OR 3232.x versions to 3232.20 OR 3262.x versions to 3262.15.
  • Upgrade PCF Ops Manager to 1.6.22 or 1.7.x versions to 1.7.14 or 1.8.x versions to 1.8.3.
  • Upgrade PCF Elastic Runtime to 1.6.41 or 1.7.x versions to 1.7.23 or 1.8.x versions to 1.8.3
  • Upgrade MySQL for PCF to 1.6.16 or 1.7.x versions to 1.7.14
  • Upgrade RabbitMQ for PCF to version 1.5.15 or 1.6.x versions to 1.6.7
  • Upgrade Redis for PCF to version 1.4.30 or 1.5.x versions to 1.5.20
  • Upgrade PCF Metrics to 1.0.14 or 1.1.x versions to 1.1.0
  • PCF JMX Bridge (Ops Metrics) to 1.4.24 or 1.6.x versions to 1.6.18 or 1.7.x versions to 1.7.0
  • Upgrade PCF Log Search to version 1.0.0
  • Upgrade Spring Cloud Services for PCF to 1.0.13 or 1.1.x versions to 1.1.4
  • Upgrade Single Sign-On for PCF to 1.0.17
Credit

Dmitry Vyukov

References