Severity
High
Vendor
Canonical Ubuntu, gnupg
Versions Affected
Canonical Ubuntu 14.04 LTS
Description
Felix Dörre and Vladimir Klebanov discovered that GnuPG incorrectly handled mixing functions in the random number generator. An attacker able to obtain 4640 bits from the RNG can trivially predict the next 160 bits of output.
Affected Products and Versions
Severity is high unless otherwise noted.
- Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.20 AND 3232.x versions prior to 3232.17 AND other versions prior to 3262.8 are vulnerable
- All versions of Cloud Foundry cflinuxfs2 prior to v.1.77.0
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team has released patched BOSH stemcells 3146.20 and 3232.17 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.20 OR 3232.x versions to 3232.17
- The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.77.0 or later versions
Credit
Felix Dörre and Vladimir Klebanov
