Cloud FoundryCFOUNDRY:5D948DFA8785FE88FEF70169A3BB50E9USN-6258-1: LLVM Toolchain vulnerabilities | Cloud Foundry
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
12.7%
Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 22.04
Description
It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. (CVE-2023-29932, CVE-2023-29934, CVE-2023-29939) It was discovered that LLVM Toolchain did not properly manage memory under certain circumstances. If a user were tricked into opening a specially crafted MLIR file, an attacker could possibly use this issue to cause LLVM Toolchain to crash, resulting in a denial of service. This issue only affected llvm-toolchain-15. (CVE-2023-29933) Update Instructions: Run sudo pro fix USN-6258-1 to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libomp5-13 – 1:13.0.1-2ubuntu2.2 libc++abi-13-dev – 1:13.0.1-2ubuntu2.2 llvm-13-linker-tools – 1:13.0.1-2ubuntu2.2 python3-lldb-13 – 1:13.0.1-2ubuntu2.2 llvm-13-examples – 1:13.0.1-2ubuntu2.2 clang-format-13 – 1:13.0.1-2ubuntu2.2 libllvm-13-ocaml-dev – 1:13.0.1-2ubuntu2.2 libclang-cpp13 – 1:13.0.1-2ubuntu2.2 libc+±13-dev – 1:13.0.1-2ubuntu2.2 libllvm13 – 1:13.0.1-2ubuntu2.2 lld-13 – 1:13.0.1-2ubuntu2.2 liblld-13 – 1:13.0.1-2ubuntu2.2 libclang-13-dev – 1:13.0.1-2ubuntu2.2 libmlir-13-dev – 1:13.0.1-2ubuntu2.2 libomp-13-doc – 1:13.0.1-2ubuntu2.2 libclc-13 – 1:13.0.1-2ubuntu2.2 clang-tools-13 – 1:13.0.1-2ubuntu2.2 llvm-13-doc – 1:13.0.1-2ubuntu2.2 llvm-13-runtime – 1:13.0.1-2ubuntu2.2 libunwind-13-dev – 1:13.0.1-2ubuntu2.2 python3-clang-13 – 1:13.0.1-2ubuntu2.2 clangd-13 – 1:13.0.1-2ubuntu2.2 libmlir-13 – 1:13.0.1-2ubuntu2.2 libclang1-13 – 1:13.0.1-2ubuntu2.2 libomp-13-dev – 1:13.0.1-2ubuntu2.2 libc++abi1-13 – 1:13.0.1-2ubuntu2.2 liblldb-13 – 1:13.0.1-2ubuntu2.2 clang-13-doc – 1:13.0.1-2ubuntu2.2 llvm-13 – 1:13.0.1-2ubuntu2.2 libc++1-13 – 1:13.0.1-2ubuntu2.2 libclang-common-13-dev – 1:13.0.1-2ubuntu2.2 clang-13-examples – 1:13.0.1-2ubuntu2.2 libfuzzer-13-dev – 1:13.0.1-2ubuntu2.2 libclang-cpp13-dev – 1:13.0.1-2ubuntu2.2 llvm-13-dev – 1:13.0.1-2ubuntu2.2 lldb-13 – 1:13.0.1-2ubuntu2.2 liblld-13-dev – 1:13.0.1-2ubuntu2.2 clang-13 – 1:13.0.1-2ubuntu2.2 liblldb-13-dev – 1:13.0.1-2ubuntu2.2 mlir-13-tools – 1:13.0.1-2ubuntu2.2 clang-tidy-13 – 1:13.0.1-2ubuntu2.2 libclc-13-dev – 1:13.0.1-2ubuntu2.2 llvm-13-tools – 1:13.0.1-2ubuntu2.2 libunwind-13 – 1:13.0.1-2ubuntu2.2 No subscription required libomp5-14 – 1:14.0.0-1ubuntu1.1 libllvm-14-ocaml-dev – 1:14.0.0-1ubuntu1.1 libc++abi-14-dev – 1:14.0.0-1ubuntu1.1 liblldb-14 – 1:14.0.0-1ubuntu1.1 libclang-14-dev – 1:14.0.0-1ubuntu1.1 clang-format-14 – 1:14.0.0-1ubuntu1.1 libc+±14-dev – 1:14.0.0-1ubuntu1.1 llvm-14-doc – 1:14.0.0-1ubuntu1.1 libclang-cpp14 – 1:14.0.0-1ubuntu1.1 libomp-14-dev – 1:14.0.0-1ubuntu1.1 libllvm14 – 1:14.0.0-1ubuntu1.1 lld-14 – 1:14.0.0-1ubuntu1.1 liblld-14 – 1:14.0.0-1ubuntu1.1 libunwind-14-dev – 1:14.0.0-1ubuntu1.1 clang-14-doc – 1:14.0.0-1ubuntu1.1 libfuzzer-14-dev – 1:14.0.0-1ubuntu1.1 libclc-14 – 1:14.0.0-1ubuntu1.1 libclang-cpp14-dev – 1:14.0.0-1ubuntu1.1 libc++abi1-14 – 1:14.0.0-1ubuntu1.1 clang-tools-14 – 1:14.0.0-1ubuntu1.1 python3-lldb-14 – 1:14.0.0-1ubuntu1.1 clangd-14 – 1:14.0.0-1ubuntu1.1 python3-clang-14 – 1:14.0.0-1ubuntu1.1 libclang1-14 – 1:14.0.0-1ubuntu1.1 llvm-14-runtime – 1:14.0.0-1ubuntu1.1 llvm-14-tools – 1:14.0.0-1ubuntu1.1 libmlir-14 – 1:14.0.0-1ubuntu1.1 llvm-14-examples – 1:14.0.0-1ubuntu1.1 libmlir-14-dev – 1:14.0.0-1ubuntu1.1 liblldb-14-dev – 1:14.0.0-1ubuntu1.1 llvm-14 – 1:14.0.0-1ubuntu1.1 libclc-14-dev – 1:14.0.0-1ubuntu1.1 libc++1-14 – 1:14.0.0-1ubuntu1.1 mlir-14-tools – 1:14.0.0-1ubuntu1.1 libomp-14-doc – 1:14.0.0-1ubuntu1.1 liblld-14-dev – 1:14.0.0-1ubuntu1.1 llvm-14-linker-tools – 1:14.0.0-1ubuntu1.1 libclang-common-14-dev – 1:14.0.0-1ubuntu1.1 lldb-14 – 1:14.0.0-1ubuntu1.1 llvm-14-dev – 1:14.0.0-1ubuntu1.1 clang-14 – 1:14.0.0-1ubuntu1.1 clang-tidy-14 – 1:14.0.0-1ubuntu1.1 libunwind-14 – 1:14.0.0-1ubuntu1.1 clang-14-examples – 1:14.0.0-1ubuntu1.1 No subscription required mlir-15-tools – 1:15.0.7-0ubuntu0.22.04.3 libmlir-15 – 1:15.0.7-0ubuntu0.22.04.3 liblldb-15 – 1:15.0.7-0ubuntu0.22.04.3 clang-format-15 – 1:15.0.7-0ubuntu0.22.04.3 liblld-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libclang-cpp15 – 1:15.0.7-0ubuntu0.22.04.3 libllvm15 – 1:15.0.7-0ubuntu0.22.04.3 libunwind-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libfuzzer-15-dev – 1:15.0.7-0ubuntu0.22.04.3 lld-15 – 1:15.0.7-0ubuntu0.22.04.3 liblld-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang-common-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libomp-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libomp-15-doc – 1:15.0.7-0ubuntu0.22.04.3 libllvm-15-ocaml-dev – 1:15.0.7-0ubuntu0.22.04.3 liblldb-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libclc-15 – 1:15.0.7-0ubuntu0.22.04.3 libmlir-15-dev – 1:15.0.7-0ubuntu0.22.04.3 clang-tools-15 – 1:15.0.7-0ubuntu0.22.04.3 python3-lldb-15 – 1:15.0.7-0ubuntu0.22.04.3 python3-clang-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang1-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-examples – 1:15.0.7-0ubuntu0.22.04.3 clang-15-examples – 1:15.0.7-0ubuntu0.22.04.3 libc+±15-dev – 1:15.0.7-0ubuntu0.22.04.3 bolt-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15 – 1:15.0.7-0ubuntu0.22.04.3 libclc-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libc++1-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-doc – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-runtime – 1:15.0.7-0ubuntu0.22.04.3 clang-15-doc – 1:15.0.7-0ubuntu0.22.04.3 libc++abi-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libunwind-15 – 1:15.0.7-0ubuntu0.22.04.3 lldb-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-linker-tools – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-tools – 1:15.0.7-0ubuntu0.22.04.3 clang-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang-cpp15-dev – 1:15.0.7-0ubuntu0.22.04.3 libc++abi1-15 – 1:15.0.7-0ubuntu0.22.04.3 libclang-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libbolt-15-dev – 1:15.0.7-0ubuntu0.22.04.3 clangd-15 – 1:15.0.7-0ubuntu0.22.04.3 clang-tidy-15 – 1:15.0.7-0ubuntu0.22.04.3 llvm-15-dev – 1:15.0.7-0ubuntu0.22.04.3 libomp5-15 – 1:15.0.7-0ubuntu0.22.04.3 No subscription required
CVEs contained in this USN include: CVE-2023-29932, CVE-2023-29933, CVE-2023-29934, CVE-2023-29939.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- cflinuxfs4
- All versions prior to 1.25.0
- Jammy Stemcells
- 1.x versions prior to 1.199
- All other stemcells not listed.
- CF Deployment
- All versions with Jammy Stemcells prior to 1.199
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- cflinuxfs4
- Upgrade all versions to 1.25.0 or greater
- Jammy Stemcells
- Upgrade 1.x versions to 1.199 or greater
- All other stemcells should be upgraded to the latest version available on bosh.io.
- CF Deployment
- For all versions, upgrade Jammy Stemcells to 1.199 or greater
References
History
2023-08-16: Initial vulnerability report published.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| cflinuxfs4 | lt | 1.25.0 | |
| jammy stemcells | lt | 1.199 | |
| cf deployment | lt | 1.199 |
Related
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0.0004 Low
EPSS
Percentile
12.7%