Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 16.04
Description
It was discovered that the AMD Cryptographic Coprocessor device driver in the Linux kernel did not properly deallocate memory in some situations. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-18808)
It was discovered that the Conexant 23885 TV card device driver for the Linux kernel did not properly deallocate memory in some error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19054)
It was discovered that the ADIS16400 IIO IMU Driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19061)
It was discovered that the AMD Audio Coprocessor driver for the Linux kernel did not properly deallocate memory in certain error conditions. A local attacker with the ability to load modules could use this to cause a denial of service (memory exhaustion). (CVE-2019-19067)
It was discovered that the Atheros HTC based wireless driver in the Linux kernel did not properly deallocate in certain error conditions. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2019-19073, CVE-2019-19074)
It was discovered that the F2FS file system in the Linux kernel did not properly perform bounds checking in some situations, leading to an out-of- bounds read. A local attacker could possibly use this to expose sensitive information (kernel memory). (CVE-2019-9445)
It was discovered that the VFIO PCI driver in the Linux kernel did not properly handle attempts to access disabled memory spaces. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12888)
It was discovered that the cgroup v2 subsystem in the Linux kernel did not properly perform reference counting in some situations, leading to a NULL pointer dereference. A local attacker could use this to cause a denial of service or possibly gain administrative privileges. (CVE-2020-14356)
It was discovered that the state of network RNG in the Linux kernel was potentially observable. A remote attacker could use this to expose sensitive information. (CVE-2020-16166)
CVEs contained in this USN include: CVE-2019-19061, CVE-2019-19067, CVE-2020-14356, CVE-2019-18808, CVE-2019-19054, CVE-2020-12888, CVE-2020-16166, CVE-2019-19073, CVE-2019-19074, CVE-2019-9445.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- Xenial Stemcells
- 250.x versions prior to 250.207
- 315.x versions prior to 315.194
- 456.x versions prior to 456.121
- 621.x versions prior to 621.85
- All other stemcells not listed.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- Xenial Stemcells
- Upgrade 250.x versions to 250.207 or greater
- Upgrade 315.x versions to 315.194 or greater
- Upgrade 456.x versions to 456.121 or greater
- Upgrade 621.x versions to 621.85 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
References
History
2020-11-20: Initial vulnerability report published.