logo
DATABASE RESOURCES PRICING ABOUT US

USN-2990-1 ImageMagick vulnerability (a.k.a. ImageTragick) | Cloud Foundry

Description

USN-2990-1 ImageMagick vulnerability (a.k.a. ImageTragick) # Medium # Vendor Imagemagick, Canonical Ubuntu # Versions Affected Canonical Ubuntu 14.04 LTS # Description Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly sanitized untrusted input. A remote attacker could use these issues to execute arbitrary code. These issues are known as ‘ImageTragick’. This update disables problematic coders via the /etc/ImageMagick-6/policy.xml configuration file. In certain environments the coders may need to be manually re-enabled after making sure that ImageMagick does not process untrusted input. ([CVE-2016-3714](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3714.html>), [CVE-2016-3715](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3715.html>), [CVE-2016-3716](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3716.html>), [CVE-2016-3717](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3717.html>), [CVE-2016-3718](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3718.html>)) Bob Friesenhahn discovered that ImageMagick allowed injecting commands via an image file or filename. A remote attacker could use this issue to execute arbitrary code. ([CVE-2016-5118](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5118.html>)) # Affected Products and Versions _Severity is medium unless otherwise noted. _ * All versions of Cloud Foundry cflinuxfs2 prior to v.1.65.0 # Mitigation Users of affected versions should apply the following mitigation: * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.65.0 or later versions # Credit Stewie, Nikolay Ermishkin, Bob Friesenhahn # References * <http://www.ubuntu.com/usn/usn-2990-1/> * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3714.html> * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3715.html> * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3716.html> * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3717.html> * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3718.html> * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5118.html>


Related