USN-3088-1: Bind vulnerability | Cloud Foundry

2016-12-13T00:00:00
ID CFOUNDRY:DE630CF7E67472C9EFB46DD5E3E29439
Type cloudfoundry
Reporter Cloud Foundry
Modified 2016-12-13T00:00:00

Description

USN-3088-1: Bind vulnerability

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04 LTS

Description

It was discovered that Bind incorrectly handled building responses to certain specially crafted requests. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service.

Affected Products and Versions

Severity is medium unless otherwise noted.

  • Cloud Foundry BOSH stemcells are vulnerable, including:
    • All versions prior to 3151.5
    • 3233.x versions prior to 3233.6
    • 3263.x versions prior to 3263.12
    • 3312.x versions prior to 3312.7
    • All other versions
  • All versions of Cloud Foundry cflinuxfs2 prior to v.1.85.0

Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading to the following BOSH stemcells:
    • Upgrade all lower versions of 3151.x to version 3151.5
    • Upgrade all lower versions of 3233.x to version 3233.6
    • Upgrade all lower versions of 3263.x to version 3263.12
    • Upgrade all lower versions of 3312.x to version 3312.7
  • The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.85.0 or later versions

References

  • <https://www.ubuntu.com/usn/usn-3088-1/>
  • <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2776.html>