logo
DATABASE RESOURCES PRICING ABOUT US

USN-3464-1: Wget vulnerabilities | Cloud Foundry

Description

USN-3464-1: Wget vulnerabilities # **Medium** # Vendor **Canonical Ubuntu** # Versions Affected * Canonical Ubuntu 14.04 # Description Antti Levomäki, Christian Jalio, and Joonas Pihlaja discovered that Wget incorrectly handled certain HTTP responses. A remote attacker could use this issue to cause Wget to crash, resulting in a denial of service, or possibly execute arbitrary code. ([CVE-2017-13089](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-13089>), [CVE-2017-13090](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-13090>)) Dawid Golunski discovered that Wget incorrectly handled recursive or mirroring mode. A remote attacker could possibly use this issue to bypass intended access list restrictions. ([CVE-2016-7098](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7098>)) Orange Tsai discovered that Wget incorrectly handled CRLF sequences in HTTP headers. A remote attacker could possibly use this issue to inject arbitrary HTTP headers. ([CVE-2017-6508](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6508>)) # Affected Cloud Foundry Products and Versions **_Severity is medium unless otherwise noted._** * Cloud Foundry BOSH stemcells are vulnerable, including: * 3421.x versions prior to 3421.32 * 3445.x versions prior to 3445.17 * 3468.x versions prior to 3468.11 * All other stemcells not listed. * All versions of Cloud Foundry cflinuxfs2 prior to 1.165.0 # Mitigation **OSS users are strongly encouraged to follow one of the mitigations below:** * The Cloud Foundry project recommends upgrading the following BOSH stemcells: * Upgrade 3421.x versions prior to 3421.32 * Upgrade 3445.x versions prior to 3445.17 * Upgrade 3468.x versions prior to 3468.11 * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>). * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.165.0 or later. # References * [USN-3464-1](<http://www.ubuntu.com/usn/usn-3464-1/>) * [CVE-2017-13089](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-13089>) * [CVE-2017-13090](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-13090>) * [CVE-2016-7098](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7098>) * [CVE-2017-6508](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6508>)


Related