Severity

High

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 16.04

Description

Peter Pi discovered a buffer overflow in the virtio network backend (vhost_net) implementation in the Linux kernel. An attacker in a guest may be able to use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS. (CVE-2019-14835)

It was discovered that the Linux kernel on PowerPC architectures did not properly handle Facility Unavailable exceptions in some situations. A local attacker could use this to expose sensitive information. (CVE-2019-15030)

It was discovered that the Linux kernel on PowerPC architectures did not properly handle exceptions on interrupts in some situations. A local attacker could use this to expose sensitive information. (CVE-2019-15031)

CVEs contained in this USN include: CVE-2019-14835, CVE-2019-15030, CVE-2019-15031

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

• Cloud Foundry BOSH xenial-stemcells are vulnerable, including:
  • 456.x versions prior to 456.25
  • 315.x versions prior to 315.97
  • 250.x versions prior to 250.110
  • 170.x versions prior to 170.133
  • 97.x versions prior to 97.159
  • All other stemcells not listed.

Mitigation

Users of affected products are strongly encouraged to follow one of the mitigations below:

• The Cloud Foundry project recommends upgrading the following BOSH xenial-stemcells:
  • Upgrade 456.x versions to 456.25
  • Upgrade 315.x versions to 315.97
  • Upgrade 250.x versions to 250.110
  • Upgrade 170.x versions to 170.133
  • Upgrade 97.x versions to 97.159
  • All other stemcells should be upgraded to the latest version available on bosh.io.

References

• USN-4135-1
• CVE-2019-14835
• CVE-2019-15030
• CVE-2019-15031