Severity
Medium
Vendor
Perl 5
Versions Affected
- Ubuntu 14.04
Description
Michele Spagnuolo discovered that PCRE incorrectly handled certain regular expressions. A remote attacker could use this issue to cause applications using PCRE to crash, resulting in a denial of service, or possibly execute arbitrary code.
The Cloud Foundry project released a BOSH stemcell version 3030 and a cflinuxfs2 rootfs stack that have the patched version of OpenSSH.
Affected Products and Versions
Severity is medium unless otherwise noted.
- All versions of Cloud Foundry BOSH stemcells prior to 3030 have versions of OpenSSH vulnerable to USN-2698-1
- All versions of Cloud Foundry cflinuxfs2 prior to 1.2.0 have versions of OpenSSH vulnerable to USN-2698-1
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry deployments run with BOSH stemcells 3030 or later versions, and cflinuxfs2 version 1.2.0 or later versions.
Credit
Michele Spagnuolo
