Severity
Low to High
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 14.10, 10.04 LTS and 14.04 LTS
Description
Several Low-to-High severity vulnerabilities impacting the versions of Ubuntu Linux included in the Cloud Foundry Stemcell and Runtime have been identified:
- It was discovered that OpenSSL incorrectly handled malformed EC private key files. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2015-0209, Low severity)
- OpenSSL incorrectly handled comparing ASN.1 boolean types. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0286, Medium severity)
- OpenSSL incorrectly handled ASN.1 structure reuse. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0287, Medium severity)
- OpenSSL incorrectly handled invalid certificate keys. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0288, Low severity)
- OpenSSL incorrectly handled missing outer ContentInfo when parsing PKCS#7 structures. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0289, Medium severity)
- OpenSSL incorrectly handled decoding Base64 encoded data. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0292, Medium severity)
- OpenSSL incorrectly handled specially crafted SSLv2 CLIENT-MASTER-KEY messages. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0293, Medium severity)
- The FREAK vulnerability (CVE-2015-0204, upgraded from Medium to High severity).
Affected Products and Versions
Severity is low unless otherwise noted.
- BOSH: All versions of Cloud Foundry BOSH stemcells prior to v2889 include OpenSSL 1.0.1f and thus are vulnerable to the aforementioned CVEs.
- Cloud Foundry Runtime cf-release versions prior to 205 contain the lucid and cflinuxfs2 RootFS, which include OpenSSL 0.9.8k and 1.0.1f and thus are vulnerable to the aforementioned CVEs.
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running cf-release v204 or earlier upgrade to v205 or later and BOSH stemcells 2889 or later, which contain the patched versions of OpenSSL that resolve the aforementioned CVEs.
Credit
Stephen Henson – CVE-2015-0209
Emilia Käsper – CVE-2015-0286
Brian Carpenter – CVE-2015-0288
Michal Zalewski – CVE-2015-0289
Robert Dugal and David Ramos – CVE-2015-0292
Sean Burford and Emilia Käsper – CVE-2015-0293
