USN-2935-2 PAM regression | Cloud Foundry

2016-05-0600:00:00

Cloud Foundry

www.cloudfoundry.org

EPSS

0.006

Percentile

78.9%

JSON

USN-2935-2 PAM regression

Low

Vendor

Ubuntu

Versions Affected

Ubuntu 14.04 LTS

Description

USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. USN-2935-2 fixes the problem.

Original issues from USN-2935-1:

It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2013-7041)

Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly performed filtering. A local attacker could use this issue to create arbitrary files, or possibly bypass authentication. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2583)

Sebastien Macke discovered that the PAM pam_unix module incorrectly handled large passwords. A local attacker could possibly use this issue in certain environments to enumerate usernames or cause a denial of service. (CVE-2015-3238)

Affected Products and Versions

_Severity is low unless otherwise noted.
_

All versions of Cloud Foundry rootfs prior to 1.45.0
Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.11 AND other versions prior to 3215.4 are vulnerable

Mitigation

Users of affected versions should apply the following mitigation:

The Cloud Foundry project recommends that Cloud Foundry deployments run with rootfs version 1.45.0 and higher
The Cloud Foundry project recommends that Cloud Foundry upgrade BOSH stemcell 3146.x versions to 3146.11 OR other versions to 3232.2