Severity
Medium
Vendor
Linux kernel
Versions Affected
- Ubuntu 14.04
Description
It was discovered that the SCTP protocol implementation in the Linux kernel performed an incorrect sequence of protocol-initialization steps. A local attacker could use this to cause a denial of service (system crash). (CVE-2015-5283)
Dmitry Vyukov discovered that the Linux kernel’s keyring handler attempted to garbage collect incompletely instantiated keys. A local unprivileged attacker could use this to cause a denial of service (system crash). (CVE-2015-7872)
The Cloud Foundry project released a BOSH stemcell version 3146.1 and 3149 that has the patched version of the Linux kernel.
Affected Products and Versions
Severity is medium unless otherwise noted.
- All versions of Cloud Foundry BOSH stemcells prior to 3149 are vulnerable, besides patched versions of 3146.x.
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry deployments run with BOSH stemcells 3149 or later versions, or patched 3146.x versions.
Credit
Dmitry Vyukov
