Cloud Foundry Logo
blog single gear
Security Advisory

USN-2537-1: OpenSSL vulnerabilities

USN-2537-1: OpenSSL vulnerabilities

Severity

Low to High

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.10, 10.04 LTS and 14.04 LTS

Description

Several Low-to-High severity vulnerabilities impacting the versions of Ubuntu Linux included in the Cloud Foundry Stemcell and Runtime have been identified:

  • It was discovered that OpenSSL incorrectly handled malformed EC private key files. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or to execute arbitrary code. (CVE-2015-0209, Low severity)
  • OpenSSL incorrectly handled comparing ASN.1 boolean types. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0286, Medium severity)
  • OpenSSL incorrectly handled ASN.1 structure reuse. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0287, Medium severity)
  • OpenSSL incorrectly handled invalid certificate keys. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0288, Low severity)
  • OpenSSL incorrectly handled missing outer ContentInfo when parsing PKCS#7 structures. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0289, Medium severity)
  • OpenSSL incorrectly handled decoding Base64 encoded data. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2015-0292, Medium severity)
  • OpenSSL incorrectly handled specially crafted SSLv2 CLIENT-MASTER-KEY messages. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2015-0293, Medium severity)
  • The FREAK vulnerability (CVE-2015-0204, upgraded from Medium to High severity).

Affected Products and Versions

Severity is low unless otherwise noted.

  • BOSH: All versions of Cloud Foundry BOSH stemcells prior to v2889 include OpenSSL 1.0.1f and thus are vulnerable to the aforementioned CVEs.
  • Cloud Foundry Runtime cf-release versions prior to 205 contain the lucid and cflinuxfs2 RootFS, which include OpenSSL 0.9.8k and 1.0.1f and thus are vulnerable to the aforementioned CVEs.

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running cf-release v204 or earlier upgrade to v205 or later and BOSH stemcells 2889 or later, which contain the patched versions of OpenSSL that resolve the aforementioned CVEs.

Credit

Stephen Henson – CVE-2015-0209

Emilia Käsper – CVE-2015-0286

Brian Carpenter – CVE-2015-0288

Michal Zalewski – CVE-2015-0289

Robert Dugal and David Ramos – CVE-2015-0292

Sean Burford and Emilia Käsper – CVE-2015-0293

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES