Severity
Low
Vendor
Ubuntu
Versions Affected
- Ubuntu 14.04 LTS
Description
USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. USN-2935-2 fixes the problem.
Original issues from USN-2935-1:
It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041)
Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly performed filtering. A local attacker could use this issue to create arbitrary files, or possibly bypass authentication. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583)
Sebastien Macke discovered that the PAM pam_unix module incorrectly handled large passwords. A local attacker could possibly use this issue in certain environments to enumerate usernames or cause a denial of service. (CVE-2015-3238)
Affected Products and Versions
Severity is low unless otherwise noted.
- All versions of Cloud Foundry rootfs prior to 1.45.0
- Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.11 AND other versions prior to 3215.4 are vulnerable
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.45.0 and higher
- The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.11 OR other versions to 3232.2
Credit
Sebastian Krahmer, Sebastien Macke
