USN-3128-2: Linux kernel (Xenial HWE) vulnerability | Cloud Foundry

2016-12-27T00:00:00
ID CFOUNDRY:ADC0B498E15923BC9D8697B0215001CD
Type cloudfoundry
Reporter Cloud Foundry
Modified 2016-12-27T00:00:00

Description

USN-3128-2: Linux kernel (Xenial HWE) vulnerability

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04 LTS

Description

Ondrej Kozina discovered that the keyring interface in the Linux kernel contained a buffer overflow when displaying timeout events via the /proc/keys interface. A local attacker could use this to cause a denial of service (system crash).

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

Cloud Foundry BOSH stemcells are vulnerable, including:

  • All versions prior to 3151.5
  • 3233.x versions prior to 3233.6
  • 3263.x versions prior to 3263.12
  • 3312.x versions prior to 3312.5
  • All other unmaintained versions are potentially vulnerable.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

The Cloud Foundry project recommends upgrading to the following BOSH stemcells:

  • Upgrade all older versions to 3151.5 or later
  • Upgrade 3233.x versions to 3233.6 or later
  • Upgrade 3263.x versions to 3263.12 or later
  • Upgrade 3312.x versions to 3312.5 or later
  • Upgrade all other unmaintained versions to the most recent version of a maintained version line.

Credit

Ondrej Kozina

References

  • <https://www.ubuntu.com/usn/usn-3128-2/>
  • <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7042.html>
  • <http://bosh.io>