Severity

Medium

Vendor

Canonical Ubuntu, Libtasn1

Versions Affected

Ubuntu 14.04 LTS

Description

Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates. A remote attacker could possibly use this issue to cause applications using Libtasn1 to hang, resulting in a denial of service. (CVE-2016-4008)

Affected Products and Versions

Severity is medium unless otherwise noted.

• All versions of Cloud Foundry rootfs prior to 1.53.0
• Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.11 AND other versions prior to 3232.2 are vulnerable.

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.53.0 and higher
• The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.11 OR other versions to 3232.2

Credit

Pascal Cuoq and Miod Vallat

References

• http://www.ubuntu.com/usn/usn-2957-1/
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4008.html