USN-3156-1: APT vulnerability


USN-3156-1: APT vulnerability

Severity

High

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 14.04 LTS

Description

Jann Horn discovered that APT incorrectly handled InRelease files. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could potentially be used to install altered packages.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • All versions prior to 3151.6
    • 3233.x versions prior to 3233.8
    • 3263.x versions prior to 3263.13
    • 3312.x versions prior to 3312.8
    • All other versions
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.94.0

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
    • Upgrade all lower versions of 3151.x to version 3151.5
    • Upgrade all lower versions of 3233.x to version 3233.6
    • Upgrade all lower versions of 3263.x to version 3263.12
    • Upgrade all lower versions of 3312.x to version 3312.7
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.92.0 or later versions.

Credit

Jann Horn

References

History

2016-12-20: Initial vulnerability report published