USN-3139-1: Vim vulnerability | Cloud Foundry

2016-12-14T00:00:00
ID CFOUNDRY:0E8B8BC871B00C0A8672039E74B869EC
Type cloudfoundry
Reporter Cloud Foundry
Modified 2016-12-14T00:00:00

Description

USN-3139-1: Vim vulnerability

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04 LTS

Description

Florian Larysch discovered that the Vim text editor did not properly validate values for the ‘filetype’, ‘syntax’, and ‘keymap’ options. An attacker could trick a user into opening a file with specially crafted modelines and possibly execute arbitrary code with the user’s privileges.

Affected Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • All versions prior to 3151.5
    • 3233.x versions prior to 3233.6
    • 3263.x versions prior to 3263.12
    • 3312.x versions prior to 3312.7
    • All other versions
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.92.0

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
    • Upgrade all lower versions of 3151.x to version 3151.5
    • Upgrade all lower versions of 3233.x to version 3233.6
    • Upgrade all lower versions of 3263.x to version 3263.12
    • Upgrade all lower versions of 3312.x to version 3312.7
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.92.0 or later versions

Credit

Florian Larysch

References

  • <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1248.html>