USN-4882-1: Ruby vulnerabilities | Cloud Foundry

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

• Canonical Ubuntu 18.04

Description

It was discovered that the Ruby JSON gem incorrectly handled certain JSON files. If a user or automated system were tricked into parsing a specially crafted JSON file, a remote attacker could use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2020-10663)

It was discovered that Ruby incorrectly handled certain socket memory operations. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-10933)

It was discovered that Ruby incorrectly handled certain transfer-encoding headers when using Webrick. A remote attacker could possibly use this issue to bypass a reverse proxy. (CVE-2020-25613)

CVEs contained in this USN include: CVE-2020-10663, CVE-2020-10933, CVE-2020-25613.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

• cflinuxfs3
  • All versions prior to 0.231.0
• CF Deployment
  • All versions prior to 16.11.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

• cflinuxfs3
  • Upgrade all versions to 0.231.0 or greater
• CF Deployment
  • Upgrade all versions to 16.11.0 or greater

References

• USN Notice
• CVE-2020-10663
• CVE-2020-10933
• CVE-2020-25613

History

2021-04-14: Initial vulnerability report published.