CVE-2015-1330 Unattended-Upgrades Vulnerability - Cloud Foundry

2015-07-06T00:00:00
ID CFOUNDRY:F64A880F696DB3DA8BC133B954F02672
Type cloudfoundry
Reporter Cloud Foundry
Modified 2015-07-06T00:00:00

Description

CVE-2015-1330 Unattended-Upgrades Vulnerability

Medium

Vendor

Canonical Ubuntu

Versions Affected

  • Canonical Ubuntu 14.04 LTS

Description

It was found that for some configurations, unattended-upgrades would not properly perform authentication checks on packages prior to installation. An attacker could thus trick unattended-upgrades into installing altered packages.

Affected Products and Versions

Severity is medium unless otherwise noted.

  • Any Cloud Foundry deployment with Ubuntu Trusty BOSH stemcells 3003 and prior.

Mitigation

Users of affected versions should apply the following mitigation:

  • BOSH stemcell 3004 contains the patched version of unattended-upgrades that resolves CVE-2015-1330. The Cloud Foundry team recommends upgrading to BOSH stemcell 3004 or higher to address this concern.

Credit

Canonical Ubuntu

References

  • <http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1330.html>
  • <http://www.ubuntu.com/usn/usn-2657-1/>
  • <https://bosh.io/stemcells>
  • <https://github.com/cloudfoundry/cf-release>