Cloud FoundryCFOUNDRY:69B78308D8FC76C015D2E7545FD9F2CBUSN-6659-1: libde265 vulnerabilities | Cloud Foundry
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.9 High
AI Score
Confidence
High
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
35.3%
Severity
Medium
Vendor
Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 22.04
Description
It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-43244, CVE-2022-43249, CVE-2022-43250, CVE-2022-47665, CVE-2023-25221) It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2022-43245) It was discovered that libde265 could be made to dereference invalid memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2023-24751, CVE-2023-24752, CVE-2023-24754, CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758) Update Instructions: Run sudo pro fix USN-6659-1 to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libde265-0 – 1.0.4-1ubuntu0.3 libde265-examples – 1.0.4-1ubuntu0.3 libde265-dev – 1.0.4-1ubuntu0.3 No subscription required
CVEs contained in this USN include: CVE-2022-43244, CVE-2022-43245, CVE-2022-43249, CVE-2022-43250, CVE-2022-47665, CVE-2023-24751, CVE-2023-24752, CVE-2023-24754, CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758, CVE-2023-25221.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- cflinuxfs4
- All versions prior to 1.75.0
- CF Deployment
- All versions prior to 39.1.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
- cflinuxfs4
- Upgrade all versions to 1.75.0 or greater
- CF Deployment
- Upgrade all versions to 39.1.0 or greater
References
- USN Notice
- CVE-2022-43244
- CVE-2022-43245
- CVE-2022-43249
- CVE-2022-43250
- CVE-2022-47665
- CVE-2023-24751
- CVE-2023-24752
- CVE-2023-24754
- CVE-2023-24755
- CVE-2023-24756
- CVE-2023-24757
- CVE-2023-24758
- CVE-2023-25221
History
2024-04-04: Initial vulnerability report published.
| CPE | Name | Operator | Version |
|---|---|---|---|
| cflinuxfs4 | lt | 1.75.0 | |
| cf deployment | lt | 39.1.0 |
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.9 High
AI Score
Confidence
High
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
35.3%