Lucene search

Cloud FoundryCFOUNDRY:ECC53E2A21B42B072F37DD88D240BCC9

HistoryJan 12, 2021 - 12:00 a.m.

USN-4667-1: APT vulnerability | Cloud Foundry

2021-01-1200:00:00

Cloud Foundry

www.cloudfoundry.org

canonical ubuntu

apt vulnerability

cloud foundry

denial of service

cve-2020-27350

xenial stemcells

cf deployment

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

5.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

17.6%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 16.04
Canonical Ubuntu 18.04

Description

Kevin Backhouse discovered that APT incorrectly handled certain packages. A local attacker could possibly use this issue to cause APT to crash or stop responding, resulting in a denial of service.

CVEs contained in this USN include: CVE-2020-27350.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

cflinuxfs3
- All versions prior to 0.214.0
Xenial Stemcells
- 315.x versions prior to 315.204
- 456.x versions prior to 456.131
- 621.x versions prior to 621.95
- All other stemcells not listed.
CF Deployment
- All versions prior to 15.4.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

cflinuxfs3
- Upgrade All versions to 0.214.0 or greater
Xenial Stemcells
- Upgrade 315.x versions to 315.204 or greater
- Upgrade 456.x versions to 456.131 or greater
- Upgrade 621.x versions to 621.95 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
CF Deployment
- Upgrade All versions to 15.4.0 or greater

References

History

2021-01-13: Initial vulnerability report published.

Affected configurations

Vulners

Node

cloudfoundrycflinuxfs3Range<0.214.0

cloudfoundryxenial_stemcellsRange<315.204

cloudfoundryxenial_stemcellsRange<456.131

cloudfoundryxenial_stemcellsRange<621.95

cloudfoundrycf-deploymentRange<15.4.0

VendorProductVersionCPE
cloudfoundrycflinuxfs3*cpe:2.3:a:cloudfoundry:cflinuxfs3:*:*:*:*:*:*:*:*
cloudfoundryxenial_stemcells*cpe:2.3:a:cloudfoundry:xenial_stemcells:*:*:*:*:*:*:*:*
cloudfoundrycf-deployment*cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cloudfoundry	cflinuxfs3	*	cpe:2.3:a:cloudfoundry:cflinuxfs3::::::::
cloudfoundry	xenial_stemcells	*	cpe:2.3:a:cloudfoundry:xenial_stemcells::::::::
cloudfoundry	cf-deployment	*	cpe:2.3:a:cloudfoundry:cf-deployment::::::::