Lucene search

Cloud FoundryCFOUNDRY:B007F1A0F4BAEAAA61C69C9E3F3DE371

HistoryJan 20, 2022 - 12:00 a.m.

USN-5158-1: ImageMagick vulnerabilities | Cloud Foundry

2022-01-2000:00:00

Cloud Foundry

www.cloudfoundry.org

imagemagick

canonical ubuntu

cloud foundry

medium

cve-2021-20244

cve-2021-20246

cve-2021-20309

cve-2021-20312

cve-2021-20313

cflinuxfs3

cf deployment

denial of service

mitigation

upgrade

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.004

Percentile

73.3%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 18.04

Description

It was discovered that ImageMagick incorrectly handled certain values when processing visual effects based image files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. (CVE-2021-20244) It was discovered that ImageMagick incorrectly handled certain values when performing resampling operations. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. (CVE-2021-20246) It was discovered that ImageMagick incorrectly handled certain values when processing visual effects based image files. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service (CVE-2021-20309) It was discovered that ImageMagick incorrectly handled certain values when processing thumbnail image data. By tricking a user into opening a specially crafted image file, an attacker could crash the application causing a denial of service. (CVE-2021-20312) It was discovered that ImageMagick incorrectly handled memory cleanup when performing certain cryptographic operations. Under certain conditions sensitive cryptographic information could be disclosed. (CVE-2021-20313)

CVEs contained in this USN include: CVE-2021-20244, CVE-2021-20246, CVE-2021-20309, CVE-2021-20312, CVE-2021-20313.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

cflinuxfs3
- All versions prior to 0.269.0
CF Deployment
- All versions prior to 17.1.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

cflinuxfs3
- Upgrade all versions to 0.269.0 or greater
CF Deployment
- Upgrade all versions to 17.1.0 or greater

References

History

2022-01-20: Initial vulnerability report published.

Affected configurations

Vulners

Node

cloudfoundrycflinuxfs3Range<0.269.0

cloudfoundrycf-deploymentRange<17.1.0

VendorProductVersionCPE
cloudfoundrycflinuxfs3*cpe:2.3:a:cloudfoundry:cflinuxfs3:*:*:*:*:*:*:*:*
cloudfoundrycf-deployment*cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cloudfoundry	cflinuxfs3	*	cpe:2.3:a:cloudfoundry:cflinuxfs3::::::::
cloudfoundry	cf-deployment	*	cpe:2.3:a:cloudfoundry:cf-deployment::::::::