Lucene search

Cloud FoundryCFOUNDRY:517E4C2F9EA6E0BC6990C9D553E6E759

HistoryJun 18, 2019 - 12:00 a.m.

USN-4015-1: DBus vulnerability | Cloud Foundry

2019-06-1800:00:00

Cloud Foundry

www.cloudfoundry.org

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

0.0005 Low

EPSS

Percentile

16.6%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 16.04
Canonical Ubuntu 18.04

Description

Joe Vennix discovered that DBus incorrectly handled DBUS_COOKIE_SHA1 authentication. A local attacker could possibly use this issue to bypass authentication and connect to DBus servers with elevated privileges.

CVEs contained in this USN include: CVE-2019-12749

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

Cloud Foundry BOSH xenial-stemcells are vulnerable, including:
- 315.x versions prior to 315.41
- 250.x versions prior to 250.63
- 170.x versions prior to 170.82
- 97.x versions prior to 97.113
- All other stemcells not listed.
All versions of Cloud Foundry cflinuxfs3 prior to 0.101.0

Mitigation

Users of affected products are strongly encouraged to follow one of the mitigations below:

The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells:
- Upgrade 315.x versions to 315.41
- Upgrade 250.x versions to 250.63
- Upgrade 170.x versions to 170.82
- Upgrade 97.x versions to 97.113
- All other stemcells should be upgraded to the latest version available on bosh.io.
The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs3 version 0.101.0 or later.