USN-2957-1 Libtasn1 vulnerability
Severity
Medium
Vendor
Canonical Ubuntu, Libtasn1
Versions Affected
- Ubuntu 14.04 LTS
Description
Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates. A remote attacker could possibly use this issue to cause applications using Libtasn1 to hang, resulting in a denial of service. (CVE-2016-4008)
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- All versions of Cloud Foundry rootfs prior to 1.53.0
- Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.11 AND other versions prior to 3232.2 are vulnerable.
- Pivotal Redis 1.4.x versions prior to 1.4.23 AND 1.5.x versions prior to 1.5.12
- Pivotal RabbitMQ 1.4.x versions prior to 1.4.11 AND 1.5.x versions prior to 1.5.9
- Pivotal Push Notification Service 1.3.x AND 1.4.x versions prior to 1.4.7
- Pivotal Ops Metrics 1.6.x versions prior to 1.6.11 AND 1.7.x versions prior to 1.7.1
- Pivotal Single Sign-On 1.0.x versions prior to 1.0.11 AND 1.1.x versions prior to 1.1.1
- Pivotal Spring Cloud Services .x versions prior to .1 AND 1.0.x versions prior to 1.0.9
- Pivotal MySQL 1.6.x versions prior to 1.6.10 AND 1.7.x versions prior to 1.7.7 AND edge release versions prior to 1.8.0-edge0.5
- Pivotal Ops Manager 1.5.x versions prior to 1.5.18 AND 1.6.x versions prior to 1.6.13 AND 1.7.x versions prior to 1.7.1
- Pivotal Elastic Runtime 1.5.x versions prior to 1.5.20 AND 1.6.x versions prior to 1.6.23 AND 1.7.x versions prior to 1.7.1
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.53.0 and higher
- The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.11 OR other versions to 3232.2
- Upgrade Pivotal Redis 1.4.x versions to 1.4.23 or later OR 1.5.x versions to 1.5.12 or later
- Upgrade Pivotal RabbitMQ 1.4.x versions to 1.4.11 or later OR 1.5.x versions to 1.5.9 or later
- Upgrade Pivotal Push Notification Service 1.4.x versions to 1.4.7 or later
- Upgrade Pivotal Ops Metrics 1.6.x versions to 1.6.11 or later OR 1.7.x versions to 1.7.1 or later
- Upgrade Pivotal Single Sign-On 1.0.x versions to 1.0.11 or later OR 1.1.x versions to 1.1.1 or later
- Upgrade Pivotal Spring Cloud Services .x versions to .1 or later OR 1.0.x versions to 1.0.9 or later
- Upgrade Pivotal MySQL to 1.6.10 or later 1.6.x versions OR 1.7.x versions to 1.7.7 or later OR edge versions 1.8.0-edge.5 or later
- Upgrade Pivotal Ops Manager 1.5.x versions to 1.5.18 or later OR 1.6.x versions to 1.6.13 or later OR 1.7.x versions to 1.7.1 or later
- Upgrade Pivotal Elastic Runtime 1.5.x versions to 1.5.20 or later OR 1.6.x versions to 1.6.23 or later OR 1.7.x versions to 1.7.1 or later
Credit
Pascal Cuoq and Miod Vallat