USN-3181-1: OpenSSL vulnerabilities
Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 14.04
Description
Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other releases were fixed in a previous security update. (CVE-2016-2177)
It was discovered that OpenSSL did not properly handle Montgomery multiplication, resulting in incorrect results leading to transient failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7055)
It was discovered that OpenSSL did not properly use constant-time operations when performing ECDSA P-256 signing. A remote attacker could possibly use this issue to perform a timing attack and recover private ECDSA keys. This issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7056)
Shi Lei discovered that OpenSSL incorrectly handled certain warning alerts. A remote attacker could possibly use this issue to cause OpenSSL to stop responding, resulting in a denial of service. (CVE-2016-8610)
Robert Święcki discovered that OpenSSL incorrectly handled certain truncated packets. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2017-3731)
It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2017-3732)
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- Cloud Foundry BOSH stemcells are vulnerable, including:
- 3263.x versions prior to 3263.26
- 3312.x versions prior to 3312.26
- 3363.x versions prior to 3363.24
- All other stemcells not listed.
- All versions of Cloud Foundry cflinuxfs2 prior to 1.99.0
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- The Cloud Foundry project recommends upgrading the following BOSH stemcells:
- Upgrade 3263.x versions to 3263.26 or later
- Upgrade 3312.x versions to 3312.26 or later
- Upgrade 3363.x versions to 3363.24 or later
- All other stemcells should be upgraded to the latest version.
- The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.99.0 or later.