Lucene search

Cloud FoundryCFOUNDRY:B42DDEE387C58E1E82ABFDD271325568

HistoryMar 18, 2024 - 12:00 a.m.

USN-6513-2: Python vulnerability | Cloud Foundry

2024-03-1800:00:00

Cloud Foundry

www.cloudfoundry.org

canonical ubuntu

python vulnerability

tls handshake

cloud foundry

denial of service

cve-2023-40217

cflinuxfs4

jammy stemcells

cf deployment

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.001

Percentile

35.7%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 22.04

Description

USN-6513-1 fixed vulnerabilities in Python. This update provides the corresponding updates for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. Original advisory details: It was discovered that Python incorrectly handled certain plist files. If a user or an automated system were tricked into processing a specially crafted plist file, an attacker could possibly use this issue to consume resources, resulting in a denial of service. (CVE-2022-48564) It was discovered that Python instances of ssl.SSLSocket were vulnerable to a bypass of the TLS handshake. An attacker could possibly use this issue to cause applications to treat unauthenticated received data before TLS handshake as authenticated data after TLS handshake. (CVE-2023-40217) Update Instructions: Run sudo pro fix USN-6513-2 to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3.8-minimal – 3.8.10-0ubuntu1~20.04.9 python3.8-full – 3.8.10-0ubuntu1~20.04.9 libpython3.8-minimal – 3.8.10-0ubuntu1~20.04.9 python3.8-examples – 3.8.10-0ubuntu1~20.04.9 python3.8-dev – 3.8.10-0ubuntu1~20.04.9 libpython3.8-dev – 3.8.10-0ubuntu1~20.04.9 python3.8-venv – 3.8.10-0ubuntu1~20.04.9 libpython3.8 – 3.8.10-0ubuntu1~20.04.9 idle-python3.8 – 3.8.10-0ubuntu1~20.04.9 libpython3.8-testsuite – 3.8.10-0ubuntu1~20.04.9 libpython3.8-stdlib – 3.8.10-0ubuntu1~20.04.9 python3.8 – 3.8.10-0ubuntu1~20.04.9 python3.8-doc – 3.8.10-0ubuntu1~20.04.9 No subscription required

CVEs contained in this USN include: CVE-2023-40217.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

cflinuxfs4
- All versions prior to 1.55.0
Jammy Stemcells
- 1.x versions prior to 1.318
- All other stemcells not listed.
CF Deployment
- All versions with Jammy Stemcells prior to 1.318

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

cflinuxfs4
- Upgrade all versions to 1.55.0 or greater
Jammy Stemcells
- Upgrade 1.x versions to 1.318 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
CF Deployment
- For all versions, upgrade Jammy Stemcells to 1.318 or greater

References

History

2024-03-18: Initial vulnerability report published.

Affected configurations

Vulners

Node

cloudfoundrycflinuxfs4Range<1.55.0

cloudfoundryjammy_stemcellsRange<1.318

cloudfoundrycf-deploymentRange<1.318

VendorProductVersionCPE
cloudfoundrycflinuxfs4*cpe:2.3:a:cloudfoundry:cflinuxfs4:*:*:*:*:*:*:*:*
cloudfoundryjammy_stemcells*cpe:2.3:a:cloudfoundry:jammy_stemcells:*:*:*:*:*:*:*:*
cloudfoundrycf-deployment*cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cloudfoundry	cflinuxfs4	*	cpe:2.3:a:cloudfoundry:cflinuxfs4::::::::
cloudfoundry	jammy_stemcells	*	cpe:2.3:a:cloudfoundry:jammy_stemcells::::::::
cloudfoundry	cf-deployment	*	cpe:2.3:a:cloudfoundry:cf-deployment::::::::