Cloud Foundry Logo
blog single gear
Security Advisory

USN-3048-1 curl vulnerability

USN-3048-1 curl vulnerability




Canonical Ubuntu, curl

Versions Affected

Canonical Ubuntu 14.04 LTS


Bru Rom discovered that curl incorrectly handled client certificates when resuming a TLS session. (CVE-2016-5419)

It was discovered that curl incorrectly handled client certificates when reusing TLS connections. (CVE-2016-5420)

Marcelo Echeverria and Fernando Muñoz discovered that curl incorrectly reused a connection struct, contrary to expectations. (CVE-2016-5421)

Affected Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.19 AND 3232.x versions prior to 3232.16 AND other versions prior to 3262.8 are vulnerable
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.73.0


Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team has released patched BOSH stemcells 3146.19 and 3232.16 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.19 OR 3232.x versions to 3232.16
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.73.0 or later versions


Marcelo Echeverria, Fernando Muñoz, and Bru Rom


Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR