Lucene search

Cloud FoundryCFOUNDRY:DC88CEA06ECA856893E7D089D36ADB07

HistoryMar 09, 2021 - 12:00 a.m.

USN-4602-1: Perl vulnerabilities | Cloud Foundry

2021-03-0900:00:00

Cloud Foundry

www.cloudfoundry.org

perl

canonical ubuntu

16.04

18.04

low severity

cloud foundry

cflinuxfs3

xenial stemcells

cf deployment

cve-2020-10878

cve-2020-10543

cve-2020-12723

mitigation

usn notice

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

EPSS

0.003

Percentile

70.0%

JSON

Severity

Low

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 16.04
Canonical Ubuntu 18.04

Description

ManhND discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could possibly use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-10543)

Hugo van der Sanden and Slaven Rezic discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could possibly use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-10878)

Sergey Aleynikov discovered that Perl incorrectly handled certain regular expressions. In environments where untrusted regular expressions are evaluated, a remote attacker could possibly use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-12723)

CVEs contained in this USN include: CVE-2020-10878, CVE-2020-10543, CVE-2020-12723.

Affected Cloud Foundry Products and Versions

Severity is low unless otherwise noted.

cflinuxfs3
- All versions prior to 0.211.0
Xenial Stemcells
- 315.x versions prior to 315.201
- 456.x versions prior to 456.128
- 621.x versions prior to 621.92
- All other stemcells not listed.
CF Deployment
- All versions prior to 15.4.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

cflinuxfs3
- Upgrade all versions to 0.211.0 or greater
Xenial Stemcells
- Upgrade 315.x versions to 315.201 or greater
- Upgrade 456.x versions to 456.128 or greater
- Upgrade 621.x versions to 621.92 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
CF Deployment
- Upgrade all versions to 15.4.0 or greater

References

History

2021-03-09: Initial vulnerability report published.

Affected configurations

Vulners

Node

cloudfoundrycflinuxfs3Range<0.211.0

cloudfoundryxenial_stemcellsRange<315.201

cloudfoundryxenial_stemcellsRange<456.128

cloudfoundryxenial_stemcellsRange<621.92

cloudfoundrycf-deploymentRange<15.4.0

VendorProductVersionCPE
cloudfoundrycflinuxfs3*cpe:2.3:a:cloudfoundry:cflinuxfs3:*:*:*:*:*:*:*:*
cloudfoundryxenial_stemcells*cpe:2.3:a:cloudfoundry:xenial_stemcells:*:*:*:*:*:*:*:*
cloudfoundrycf-deployment*cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cloudfoundry	cflinuxfs3	*	cpe:2.3:a:cloudfoundry:cflinuxfs3::::::::
cloudfoundry	xenial_stemcells	*	cpe:2.3:a:cloudfoundry:xenial_stemcells::::::::
cloudfoundry	cf-deployment	*	cpe:2.3:a:cloudfoundry:cf-deployment::::::::