Cloud Foundry Logo
blog single gear
Security Advisory

USN-4008-2: AppArmor update

USN-4008-2: AppArmor update

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 16.04

Description

USN-4008-1 fixed multiple security issues in the Linux kernel. This update provides the corresponding changes to AppArmor policy for correctly operating under the Linux kernel with fixes for CVE-2019-11190. Without these changes, some profile transitions may be unintentionally denied due to missing mmap (’m’) rules.

Original advisory details:

Robert Święcki discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid elf binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid elf binary. (CVE-2019-11190)

It was discovered that a null pointer dereference vulnerability existed in the LSI Logic MegaRAID driver in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2019-11810)

It was discovered that a race condition leading to a use-after-free existed in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel. The RDS protocol is blacklisted by default in Ubuntu. If enabled, a local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2019-11815)

Federico Manuel Bento discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid a.out binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid a.out binary. (CVE-2019-11191)

As a hardening measure, this update disables a.out support.

CVEs contained in this USN include: CVE-2019-11190, CVE-2019-11191, CVE-2019-11810, CVE-2019-11815

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH xenial-stemcells are vulnerable, including:
    • 315.x versions prior to 315.41
    • 250.x versions prior to 250.63
    • 170.x versions prior to 170.82
    • 97.x versions prior to 97.113
    • All other stemcells not listed.

Mitigation

Users of affected products are strongly encouraged to follow one of the mitigations below:

  • The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells:
    • Upgrade 315.x versions to 315.41
    • Upgrade 250.x versions to 250.63
    • Upgrade 170.x versions to 170.82
    • Upgrade 97.x versions to 97.113
    • All other stemcells should be upgraded to the latest version available on bosh.io.

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES