Lucene search

K
cloudfoundryCloud FoundryCFOUNDRY:7AB0CAD728DE1AABF4E9079216128F81
HistoryApr 29, 2021 - 12:00 a.m.

USN-4922-1: Ruby vulnerability | Cloud Foundry

2021-04-2900:00:00
Cloud Foundry
www.cloudfoundry.org
30
ruby vulnerability
rexml gem
xml round-trip attack
canonical ubuntu
cloud foundry
cflinuxfs3
cf deployment
cve-2021-28965
mitigation
upgrade
usn-4922-1

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

43.0%

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 18.04

Description

Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to perform an XML round-trip attack.

CVEs contained in this USN include: CVE-2021-28965.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • cflinuxfs3
    • All versions prior to 0.236.0
  • CF Deployment
    • All versions prior to 16.13.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • cflinuxfs3
    • Upgrade all versions to 0.236.0 or greater
  • CF Deployment
    • Upgrade all versions to 16.13.0 or greater

References

History

2021-04-29: Initial vulnerability report published.

Affected configurations

Vulners
Node
cloudfoundrycflinuxfs3Range<0.236.0
OR
cloudfoundrycf-deploymentRange<16.13.0

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

43.0%