USN-3172-1: Bind vulnerabilities

Severity

Medium

Vendor

Ubuntu

Versions Affected

• Ubuntu 14.04 LTS

Description

It was discovered that Bind incorrectly handled certain malformed responses to an ANY query. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2016-9131)

It was discovered that Bind incorrectly handled certain malformed responses to an ANY query. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2016-9147)

It was discovered that Bind incorrectly handled certain malformed DS record responses. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2016-9444)

Affected Products and Versions

Severity is medium unless otherwise noted.

• Cloud Foundry BOSH stemcells are vulnerable, including:
  • 3151.x versions prior to 3151.7
  • 3233.x versions prior to 3233.10
  • 3263.x versions prior to 3263.15
• All versions of Cloud Foundry cflinuxfs2 prior to v1.45.0

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

• The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
  • Upgrade all lower versions of 3151.x to version 3151.7
  • Upgrade all lower versions of 3233.x to version 3233.10
  • Upgrade all lower versions of 3263.x to version 3263.15
• The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v1.45.0 or later versions

References

• https://www.ubuntu.com/usn/usn-3172-1/
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9131.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9147.html
• http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9444.html