Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cloudfoundryCloud FoundryCFOUNDRY:4CFCCAC7D8EED4AADC23078DD6BCE0FD
HistoryNov 01, 2017 - 12:00 a.m.

USN-3441-1: curl vulnerabilities | Cloud Foundry

2017-11-0100:00:00
Cloud Foundry
www.cloudfoundry.org
28

0.011 Low

EPSS

Percentile

84.9%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04

Description

Daniel Stenberg discovered that curl incorrectly handled large floating point output. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-9586)

Even Rouault discovered that curl incorrectly handled large file names when doing TFTP transfers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000100)

Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled numerical range globbing. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. (CVE-2017-1000101)

Max Dymond discovered that curl incorrectly handled FTP PWD responses. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service. (CVE-2017-1000254)

Brian Carpenter discovered that curl incorrectly handled the –write-out command line option. A local attacker could possibly use this issue to obtain sensitive memory contents. (CVE-2017-7407)

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • 3363.x versions prior to 3363.40
    • 3421.x versions prior to 3421.29
    • 3445.x versions prior to 3445.15
    • All other stemcells not listed.
  • All versions of Cloud Foundry cflinuxfs2 prior to 1.160.0

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • The Cloud Foundry project recommends upgrading the following BOSH stemcells:
    • Upgrade 3363.x versions prior to 3363.40
    • Upgrade 3421.x versions prior to 3421.29
    • Upgrade 3445.x versions prior to 3445.15
    • All other stemcells should be upgraded to the latest version available on bosh.io.
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.160.0 or later.

References

Related

openvas 33
nessus 49
ubuntu 2
debian 6
osv 9
fedora 9
ibm 13
gentoo 1
slackware 2
archlinux 13
mageia 2
altlinux 3
amazon 4
freebsd 4
photon 3
prion 5
nvd 5
alpinelinux 5
ubuntucve 5
redhatcve 5
cve 5
cvelist 5
debiancve 5
veracode 5
hackerone 1
openvas
openvas
Ubuntu: Security Advisory (USN-3441-1)
2017-10-11 00:00:00
Ubuntu: Security Advisory (USN-3441-2)
2022-08-26 00:00:00
Debian: Security Advisory (DSA-3992-1)
2017-10-05 00:00:00
nessus
nessus
Ubuntu 14.04 LTS / 16.04 LTS : curl vulnerabilities (USN-3441-1)
2017-10-11 00:00:00
Debian DSA-3992-1 : curl - security update
2017-10-09 00:00:00
SUSE SLES11 Security Update : curl (SUSE-SU-2017:2312-1)
2017-09-01 00:00:00
ubuntu
ubuntu
curl vulnerabilities
2017-10-10 00:00:00
curl vulnerabilities
2017-10-23 00:00:00
debian
debian
[SECURITY] [DSA 3992-1] curl security update
2017-10-06 20:43:43
[SECURITY] [DSA 3992-1] curl security update
2017-10-06 20:43:43
[SECURITY] [DLA 1121-1] curl security update
2017-10-05 09:39:01
osv
osv
curl - security update
2017-10-06 00:00:00
CVE-2017-1000101
2017-10-05 01:29:04
CVE-2017-1000254
2017-10-06 13:29:00
fedora
fedora
[SECURITY] Fedora 26 Update: curl-7.53.1-10.fc26
2017-08-13 20:56:17
[SECURITY] Fedora 25 Update: curl-7.51.0-9.fc25
2017-08-14 00:56:15
[SECURITY] Fedora 27 Update: curl-7.55.1-6.fc27
2017-11-11 03:23:12
ibm
ibm
Security Bulletin: Vulnerabilities in curl affect IBM BladeCenter Advanced Management Module (AMM) (CVE-2016-9586, CVE-2017-7407)
2023-04-14 14:32:25
Security Bulletin: Vulnerabilities in curl affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems
2023-04-14 14:32:25
Security Bulletin: Multiple vulnerabilities in curl affect IBM Flex System Manager (FSM) (CVE-2016-9586, CVE-2017-7407 )
2018-06-18 01:38:11
gentoo
gentoo
cURL: Multiple vulnerabilities
2017-09-17 00:00:00
slackware
slackware
[slackware-security] curl
2017-08-09 20:47:02
[slackware-security] curl
2017-10-06 06:33:52
archlinux
archlinux
[ASA-201708-16] curl: information disclosure
2017-08-22 00:00:00
[ASA-201710-4] lib32-libcurl-gnutls: multiple issues
2017-10-05 00:00:00
[ASA-201710-7] libcurl-compat: multiple issues
2017-10-05 00:00:00
mageia
mageia
Updated curl packages fix security vulnerabilities
2017-08-19 12:58:33
Updated curl packages fix security vulnerability
2018-01-03 19:40:26
altlinux
altlinux
Security fix for the ALT Linux 8 package curl version 7.55.0-alt1
2017-08-09 00:00:00
Security fix for the ALT Linux 8 package curl version 7.52.0-alt1
2016-12-21 00:00:00
Security fix for the ALT Linux 8 package curl version 7.56.0-alt1
2017-10-04 00:00:00
amazon
amazon
Medium: curl
2017-08-31 17:19:00
Medium: curl
2017-11-02 20:18:00
Low: curl
2017-03-22 16:00:00
freebsd
freebsd
cURL -- multiple vulnerabilities
2017-08-09 00:00:00
cURL -- out of bounds read
2017-10-04 00:00:00
cURL -- buffer overflow
2016-12-21 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2017-0045
2017-11-17 00:00:00
Critical Photon OS Security Update - PHSA-2017-0002
2017-11-17 00:00:00
Critical Photon OS Security Update - PHSA-2017-0082
2017-11-08 00:00:00
prion
prion
Heap overflow
2017-10-05 01:29:00
Heap overflow
2017-10-06 13:29:00
Format string
2018-04-23 18:29:00
nvd
nvd
CVE-2017-1000101
2017-10-05 01:29:04
CVE-2016-9586
2018-04-23 18:29:00
CVE-2017-1000254
2017-10-06 13:29:00
alpinelinux
alpinelinux
CVE-2017-1000101
2017-10-05 01:29:04
CVE-2016-9586
2018-04-23 18:29:00
CVE-2017-1000254
2017-10-06 13:29:00
ubuntucve
ubuntucve
CVE-2017-1000101
2017-10-04 00:00:00
CVE-2017-1000254
2017-10-04 00:00:00
CVE-2016-9586
2016-12-21 00:00:00
redhatcve
redhatcve
CVE-2017-1000101
2017-08-09 06:49:45
CVE-2017-1000254
2019-10-10 10:51:19
CVE-2016-9586
2016-12-21 10:17:24
cve
cve
CVE-2017-1000101
2017-10-05 01:29:04
CVE-2017-1000254
2017-10-06 13:29:00
CVE-2016-9586
2018-04-23 18:29:00
cvelist
cvelist
CVE-2017-1000254
2017-10-06 13:00:00
CVE-2017-1000101
2017-10-04 01:00:00
CVE-2017-1000100
2017-10-04 01:00:00
debiancve
debiancve
CVE-2017-1000101
2017-10-05 01:29:04
CVE-2016-9586
2018-04-23 18:29:00
CVE-2017-1000254
2017-10-06 13:29:00
veracode
veracode
Out-Of-Bounds Read
2019-05-16 03:21:39
Buffer Overflow
2019-05-16 03:21:39
Out Of Bounds (OOB) Read Through URL Globbing
2018-05-31 03:37:33
hackerone
hackerone
Internet Bug Bounty: CVE-2017-1000101: cURL: URL globbing out of bounds read
2017-08-01 18:13:51

0.011 Low

EPSS

Percentile

84.9%

JSON
Related for CFOUNDRY:4CFCCAC7D8EED4AADC23078DD6BCE0FD
openvas33nessus49ubuntu2debian6osv9fedora9ibm13gentoo1slackware2archlinux13mageia2altlinux3amazon4freebsd4photon3prion5nvd5alpinelinux5ubuntucve5redhatcve5cve5cvelist5debiancve5veracode5hackerone1