Cloud Foundry Logo
blog single gear
Blog
Security Advisory

USN-6622-1: OpenSSL vulnerabilities

by: February 29, 2024

Severity

Low

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 22.04

Description

David Benjamin discovered that OpenSSL incorrectly handled excessively long X9.42 DH keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. (CVE-2023-5678) Sverker Eriksson discovered that OpenSSL incorrectly handled POLY1304 MAC on the PowerPC architecture. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-6129) It was discovered that OpenSSL incorrectly handled excessively long RSA public keys. A remote attacker could possibly use this issue to cause OpenSSL to consume resources, leading to a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.04. (CVE-2023-6237) Bahaa Naamneh discovered that OpenSSL incorrectly handled certain malformed PKCS12 files. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. (CVE-2024-0727) Update Instructions: Run `sudo pro fix USN-6622-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libssl1.1 – 1.1.1f-1ubuntu2.21 libssl-dev – 1.1.1f-1ubuntu2.21 openssl – 1.1.1f-1ubuntu2.21 libssl-doc – 1.1.1f-1ubuntu2.21 No subscription required

CVEs contained in this USN include: CVE-2023-5678, CVE-2024-0727, CVE-2023-6129, CVE-2023-6237.

Affected Cloud Foundry Products and Versions

Severity is low unless otherwise noted.

  • cflinuxfs4
    • All versions prior to 1.69.0
  • Jammy Stemcells
    • 1.x versions prior to 1.360
    • All other stemcells not listed.
  • CF Deployment
    • All versions with Jammy Stemcells prior to 1.360

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

  • cflinuxfs4
    • Upgrade all versions to 1.69.0 or greater
  • Jammy Stemcells
    • Upgrade 1.x versions to 1.360 or greater
    • All other stemcells should be upgraded to the latest version available on bosh.io.
  • CF Deployment
    • For all versions, upgrade Jammy Stemcells to 1.360 or greater

History

2024-02-29: Initial vulnerability report published.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3882-1: curl vulnerabilities
Security Advisory

USN-3882-1: curl vulnerabilities

by Cloud Foundry Foundation Security Team February 15, 2019
USN-4531-1: BusyBox vulnerability
Security Advisory

USN-4531-1: BusyBox vulnerability

by Cloud Foundry Foundation Security Team November 19, 2020
USN-3334-1: Linux kernel (Xenial HWE) vulnerabilities
Security Advisory

USN-3334-1: Linux kernel (Xenial HWE) vulnerabilities

by Cloud Foundry Foundation Security Team June 21, 2017
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept