USN-4662-1: OpenSSL vulnerability | Cloud Foundry


## Severity High ## Vendor Canonical Ubuntu ## Versions Affected * Canonical Ubuntu 16.04 * Canonical Ubuntu 18.04 ## Description David Benjamin discovered that OpenSSL incorrectly handled comparing certificates containing a EDIPartyName name type. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. CVEs contained in this USN include: CVE-2020-1971. ## Affected Cloud Foundry Products and Versions _Severity is high unless otherwise noted._ * cflinuxfs3 * All versions prior to 0.212.0 * Xenial Stemcells * 315.x versions prior to 315.203 * 456.x versions prior to 456.130 * 621.x versions prior to 621.94 * All other stemcells not listed. * CF Deployment * All versions prior to 15.4.0 ## Mitigation Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases: * cflinuxfs3 * Upgrade All versions to 0.212.0 or greater * Xenial Stemcells * Upgrade 315.x versions to 315.203 or greater * Upgrade 456.x versions to 456.130 or greater * Upgrade 621.x versions to 621.94 or greater * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells>). * CF Deployment * Upgrade All versions to 15.4.0 or greater ## References * [USN Notice](<https://usn.ubuntu.com/4662-1/>) * [CVE-2020-1971](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-1971>) ## History 2021-01-13: Initial vulnerability report published.

Affected Software

CPE Name Name Version
cflinuxfs3 0.212.0
xenial stemcells 315.203
xenial stemcells 456.130
xenial stemcells 621.94
cf deployment 15.4.0