USN-2740-1 ICU Vulnerabilities

Medium to Low

Vendor

Canonical Ubuntu

Versions Affected

• icu – International Components for Unicode library

Description

Atte Kettunen discovered that ICU incorrectly handled certain converter names. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash. (CVE-2015-1270)

It was discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program. (CVE-2015-2632, CVE-2015-4760)

Affected Products and Versions

_Severity is medium unless otherwise noted.
_

• BOSH: All versions of Cloud Foundry BOSH stemcells prior to v3094 are vulnerable to the aforementioned CVEs.
• Cloud Foundry Runtime: all versions of cf-release prior to 219 are vulnerable to the aforementioned CVEs.
• PHP Buildpack: all versions of the buildpack prior to 4.1.4 contain a vulnerable version of libicu52.

Mitigation

Users of affected versions should apply the following mitigation:

• The Cloud Foundry project recommends that Cloud Foundry Deployments using BOSH stemcell v3093 or earlier upgrade to v3094 or later, which contain the patched versions of the Linux kernel to resolve the aforementioned CVEs.
• The Cloud Foundry project recommends that Cloud Foundry Deployments using cf-release 218 or lower upgrade to 219 or higher to resolve the aforementioned CVEs.

Credit

Atte Kettunen

References

• <http://www.ubuntu.com/usn/usn-2740-1/&gt;
• <https://bosh.io/stemcells&gt;
• <https://github.com/cloudfoundry/cf-release&gt;