CVE-2015-1330 Unattended-Upgrades Vulnerability

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 14.04 LTS

Description

It was found that for some configurations, unattended-upgrades would not properly perform authentication checks on packages prior to installation. An attacker could thus trick unattended-upgrades into installing altered packages.

Affected Products and Versions

Severity is medium unless otherwise noted.

Any Cloud Foundry deployment with Ubuntu Trusty BOSH stemcells 3003 and prior.

Mitigation

Users of affected versions should apply the following mitigation:

BOSH stemcell 3004 contains the patched version of unattended-upgrades that resolves CVE-2015-1330. The Cloud Foundry team recommends upgrading to BOSH stemcell 3004 or higher to address this concern.

Credit

Canonical Ubuntu

References

http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1330.html
http://www.ubuntu.com/usn/usn-2657-1/
https://bosh.io/stemcells
https://github.com/cloudfoundry/cf-release

CVE-2015-1330 Unattended-Upgrades Vulnerability

Severity

Vendor

Versions Affected

Description

Affected Products and Versions

Mitigation

Credit

References

You Might Also Like

USN-3816-2: systemd vulnerability

USN-6673-1: python-cryptography vulnerabilities

CVE-2014-6271 and CVE-2014-7169 – ShellShock

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!