Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 22.04

Description

It was discovered that GNU binutils incorrectly handled certain COFF files. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2022-38533) It was discovered that GNU binutils was not properly performing bounds checks in several functions, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute arbitrary code. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-4285, CVE-2020-19726, CVE-2021-46174) It was discovered that GNU binutils contained a reachable assertion, which could lead to an intentional assertion failure when processing certain crafted DWARF files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-35205) Update Instructions: Run sudo pro fix USN-6544-1 to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: binutils-dev – 2.34-6ubuntu1.7 binutils-arm-linux-gnueabihf – 2.34-6ubuntu1.7 binutils-hppa64-linux-gnu – 2.34-6ubuntu1.7 binutils-ia64-linux-gnu – 2.34-6ubuntu1.7 binutils-multiarch – 2.34-6ubuntu1.7 binutils-x86-64-kfreebsd-gnu – 2.34-6ubuntu1.7 binutils-riscv64-linux-gnu – 2.34-6ubuntu1.7 binutils-m68k-linux-gnu – 2.34-6ubuntu1.7 binutils-for-build – 2.34-6ubuntu1.7 binutils-s390x-linux-gnu – 2.34-6ubuntu1.7 binutils-x86-64-linux-gnu – 2.34-6ubuntu1.7 binutils-multiarch-dev – 2.34-6ubuntu1.7 binutils-i686-gnu – 2.34-6ubuntu1.7 libctf-nobfd0 – 2.34-6ubuntu1.7 binutils-for-host – 2.34-6ubuntu1.7 binutils-doc – 2.34-6ubuntu1.7 binutils-sh4-linux-gnu – 2.34-6ubuntu1.7 binutils-aarch64-linux-gnu – 2.34-6ubuntu1.7 libctf0 – 2.34-6ubuntu1.7 binutils-source – 2.34-6ubuntu1.7 binutils-i686-linux-gnu – 2.34-6ubuntu1.7 binutils-common – 2.34-6ubuntu1.7 binutils-x86-64-linux-gnux32 – 2.34-6ubuntu1.7 binutils-i686-kfreebsd-gnu – 2.34-6ubuntu1.7 binutils-powerpc64le-linux-gnu – 2.34-6ubuntu1.7 binutils-powerpc64-linux-gnu – 2.34-6ubuntu1.7 binutils-hppa-linux-gnu – 2.34-6ubuntu1.7 binutils-sparc64-linux-gnu – 2.34-6ubuntu1.7 libbinutils – 2.34-6ubuntu1.7 binutils-arm-linux-gnueabi – 2.34-6ubuntu1.7 binutils-alpha-linux-gnu – 2.34-6ubuntu1.7 binutils-powerpc-linux-gnu – 2.34-6ubuntu1.7 binutils – 2.34-6ubuntu1.7 No subscription required

CVEs contained in this USN include: CVE-2022-38533, CVE-2020-19726, CVE-2021-46174, CVE-2022-35205, CVE-2022-4285.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

• cflinuxfs4
  • All versions prior to 1.59.0
• Jammy Stemcells
  • 1.x versions prior to 1.327
  • All other stemcells not listed.
• CF Deployment
  • All versions with Jammy Stemcells prior to 1.327

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

• cflinuxfs4
  • Upgrade all versions to 1.59.0 or greater
• Jammy Stemcells
  • Upgrade 1.x versions to 1.327 or greater
  • All other stemcells should be upgraded to the latest version available on bosh.io.
• CF Deployment
  • For all versions, upgrade Jammy Stemcells to 1.327 or greater

References

• USN Notice
• CVE-2022-38533
• CVE-2020-19726
• CVE-2021-46174
• CVE-2022-35205
• CVE-2022-4285

History

2024-04-04: Initial vulnerability report published.