Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-zb

Summary

AT&T has released versions 1801-zb for the Vyatta 5600.

Details of these releases can be found at https://cloud.ibm.com/docs/infrastructure/virtual-router-appliance?topic=virtual-router-appliance-at-t-vyatta-5600-vrouter-software-patches#at-t-vyatta-5600-vrouter-software-patches

Vulnerability Details

Relevant CVE Information:

CVEID: CVE-2013-5211 DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error in the monlist feature in ntp_request.c. By sending a sending specially-crafted REQ_MON_GETLIST or REQ_MON_GETLIST_1 request, an attacker could exploit this vulnerability to consume available CPU resources and cause the server to crash.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/90143&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2019-13272 DESCRIPTION: Linux Kernel could allow a local attacker to gain elevated privileges on the system, caused by improper permission validation and improper object lifetime handling for PTRACE_TRACEME in the ptrace_link function. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain root privileges on the system.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163733&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

VRA - Vyatta 5600

Remediation/Fixes

Please contact IBM Cloud Support to request that the ISO for the 1801-za be pushed to your Vyatta system. Users will need to apply the upgraded code according to their defined processes (for example during a defined maintenance window).