Cloud Foundry Logo
blog single gear
Security Advisory

USN-3116-1: DBus vulnerabilities

USN-3116-1: DBus vulnerabilities

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04 LTS

Description

It was discovered that DBus incorrectly validated the source of Activation Failure signals. A local attacker could use this issue to cause a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu14.04 LTS. (CVE-2015-0245)

It was discovered that DBus incorrectly handled certain format strings. A local attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. This issue is only exposed to unprivileged users when the fix for CVE-2015-0245 is not applied, hence this issue is only likely to affect Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Ubuntu 16.04LTS and Ubuntu 16.10 have been updated as a preventative measure in the event that a new attack vector for this issue is discovered.(No CVE number)

Affected Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • All versions prior to 3151.5
    • 3233.x versions prior to 3233.6
    • 3263.x versions prior to 3263.12
    • 3312.x versions prior to 3312.7
    • All other versions
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.90.0

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
    • Upgrade all lower versions of 3151.x to version 3151.5
    • Upgrade all lower versions of 3233.x to version 3233.6
    • Upgrade all lower versions of 3263.x to version 3263.12
    • Upgrade all lower versions of 3312.x to version 3312.7
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.90.0 or later versions

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES