logo
DATABASE RESOURCES PRICING ABOUT US

USN-3441-1: curl vulnerabilities | Cloud Foundry

Description

# # Severity Medium # Vendor Canonical Ubuntu # Versions Affected * Canonical Ubuntu 14.04 # Description Daniel Stenberg discovered that curl incorrectly handled large floating point output. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. ([CVE-2016-9586](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9586>)) Even Rouault discovered that curl incorrectly handled large file names when doing TFTP transfers. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. ([CVE-2017-1000100](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000100>)) Brian Carpenter and Yongji Ouyang discovered that curl incorrectly handled numerical range globbing. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly obtain sensitive memory contents. ([CVE-2017-1000101](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000101>)) Max Dymond discovered that curl incorrectly handled FTP PWD responses. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service. ([CVE-2017-1000254](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000254>)) Brian Carpenter discovered that curl incorrectly handled the –write-out command line option. A local attacker could possibly use this issue to obtain sensitive memory contents. ([CVE-2017-7407](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7407>)) # Affected Cloud Foundry Products and Versions _Severity is medium unless otherwise noted._ * Cloud Foundry BOSH stemcells are vulnerable, including: * 3363.x versions prior to 3363.40 * 3421.x versions prior to 3421.29 * 3445.x versions prior to 3445.15 * All other stemcells not listed. * All versions of Cloud Foundry cflinuxfs2 prior to 1.160.0 # Mitigation OSS users are strongly encouraged to follow one of the mitigations below: * The Cloud Foundry project recommends upgrading the following BOSH stemcells: * Upgrade 3363.x versions prior to 3363.40 * Upgrade 3421.x versions prior to 3421.29 * Upgrade 3445.x versions prior to 3445.15 * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>). * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.160.0 or later. # References * [USN-3441-1](<http://www.ubuntu.com/usn/usn-3441-1/>) * [CVE-2016-9586](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9586>) * [CVE-2017-1000100](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000100>) * [CVE-2017-1000101](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000101>) * [CVE-2017-1000254](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-1000254>) * [CVE-2017-7407](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-7407>)


Related