Cloud Foundry Logo
blog single gear
Security Advisory

USN-2788-1 and USN-2788-2 unzip vulnerability

USN-2788-1 and USN-2788-2 unzip vulnerability

Severity

Medium

Vendor

unzip

Versions Affected

  • Ubuntu 14.04

Description

Gustavo Grieco discovered that unzip incorrectly handled certain password protected archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly execute arbitrary code. (CVE-2015-7696)

Gustavo Grieco discovered that unzip incorrectly handled certain malformed archives. If a user or automated system were tricked into processing a specially crafted zip archive, an attacker could possibly cause unzip to hang, resulting in a denial of service. (CVE-2015-7697)

The Cloud Foundry project released a BOSH stemcell version 3130 that has the patched version of the Linux kernel. A new Cloud Foundry rootfs was also released, cflinuxfs2 v.1.17.0, that has the patches.

Affected Products and Versions

Severity is medium unless otherwise noted.

  • All versions of Cloud Foundry BOSH stemcells prior to 3130 have versions of the kernel vulnerable to USN-2806-1.
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.17.0.

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry deployments run with BOSH stemcells 3130 or later versions and cflinuxfs2 v.1.17.0 or later versions.

Credit

Gustavo Grieco

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES