CVE-2018-11047: UAA accepts refresh token as access token on admin endpoints | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using uaa versions 4.19 prior to 4.19.2, 4.12 prior to 4.12.4, 4.10 prior to 4.10.2, 4.7 prior to 4.7.6, 4.5 prior to 4.5.7 You are using uaa-release versions v60 prior to v60.2, v57 prior to v57.4,...

USN-3711-1: ImageMagick vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. All versions of Cloud Foundry cflinuxfs2 prior to 1.225.0 Mitigation OSS users are strongly encouraged to follow one...

USN-3809-1: OpenSSH vulnerabilities | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Robert Swiecki discovered that OpenSSH incorrectly handled certain messages. An attacker could possibly use this issue to cause a denial of service. This issue...

USN-3817-1: Python vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description It was discovered that Python incorrectly handled large amounts of data. A remote attacker could use this issue to cause Python to crash, resulting in a denia...

USN-6242-1: OpenSSH vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 22.04 Description It was discovered that OpenSSH incorrectly handled loading certain PKCS11 providers. If a user forwarded their ssh-agent to an untrusted system, a remote attacker could possibly use this issue to load...

USN-3805-1: curl vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Harry Sintonen discovered that curl incorrectly handled SASL authentication. A remote attacker could use this issue to cause curl to crash, resulting in a...

USN-3821-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3821-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

USN-3820-2: Linux kernel (HWE) vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description USN-3820-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 18.04 LTS for Ubuntu 16.04...

USN-3001-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry

USN-3001-1 Linux kernel Vivid HWE vulnerabilities High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to...

USN-3815-1: gettext vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Description It was discovered that gettext incorrectly handled certain messages. An attacker could possibly use this issue to execute arbitrary code. CVEs contained in this USN include:...

USN-3816-1: systemd vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Jann Horn discovered that unitdeserialize incorrectly handled status messages above a certain length. A local attacker could potentially exploit this via NotifyAccess to inject...

USN-3935-1: BusyBox vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Tyler Hicks discovered that BusyBox incorrectly handled symlinks inside tar archives. If a user or automated system were tricked into processing a specially...

USN-3932-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3932-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

USN-3806-1: systemd vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Felix Wilhelm discovered that the systemd-networkd DHCPv6 client incorrectly handled certain DHCPv6 messages. In configurations where systemd-networkd is being used, an attacker on...

USN-3784-1: AppArmor update | Cloud Foundry

Severity Unknown Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Description Use a more restrictive blacklist in several policy abstractions. Affected Cloud Foundry Products and Versions Severity is unknown unless otherwise noted. Cloud Foundry BOSH...

USN-3977-3: Intel Microcode update (AKA ZombieLoad Attack) | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Description USN-3977-1 and USN-3977-2 provided mitigations for Microarchitectural Data Sampling MDS vulnerabilities in Intel Microcode for a large number of Intel processor families. This update...

USN-3910-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3910-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

USN-4201-1: Ruby vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description It was discovered that Ruby incorrectly handled certain files. An attacker could possibly use this issue to pass path matching what can lead to an unauthorized access. CVE-2019-15845 It was discovered tha...

USN-3686-1: file vulnerabilities | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Alexander Cherepanov discovered that file incorrectly handled a large number of notes. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. CVE-2014-9620...

USN-5343-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 releaseagent feature. A local attacker could use this to gain...

USN-3676-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3676-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

CVE-2019-11268: UAA SQL Identity Zone Vulnerability | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. UAA Release OSS is vulnerable prior to v73.3.0 Description UAA version prior to 73.3.0, contain endpoints that contains improper escaping. An authenticated...

CVE-2015-9251: UAA contains vulnerable jQuery version | Cloud Foundry

Medium Vendor The OpenJS Foundation Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. UAA Release OSS is vulnerable prior to v73.3.0 Description Cloud Foundry UAA versions prior to 73.3.0, contains a vulnerable version of jQuery. A remote attacker can perform...

USN-5788-1: curl vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Description Hiroki Kurosawa discovered that curl incorrectly handled HSTS support when certain hostnames included IDN characters. A remote attacker could possibly use this issue to cause curl t...

USN-3945-1: Ruby vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description It was discovered that Ruby incorrectly handled certain RubyGems. An attacker could possibly use this issue to execute arbitrary commands. CVE-2019-8320 It was discovered that Ruby incorrectly handled...

USN-4017-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description Jonathan Looney discovered that the TCP retransmission queue implementation in the Linux kernel could be fragmented when handling certain TCP Selective Acknowledgment SACK sequences. A remote attacker could...

USN-4591-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description Andy Nguyen discovered that the Bluetooth L2CAP implementation in the Linux kernel contained a type-confusion error. A physically proximate remote attacker could use this to cause a denial of service system...

CVE-2020-0601: Windows CryptoAPI Spoofing Vulnerability | Cloud Foundry

Severity High Vendor Microsoft Corporation Description A spoofing vulnerability exists in the way Windows CryptoAPI Crypt32.dll validates Elliptic Curve Cryptography ECC certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious...

CVE-2019-5736: runC container breakout | Cloud Foundry

Severity High Vendor Open Container Initiative Affected Cloud Foundry Products and Versions Severity is High unless otherwise noted. BPM All prior to v1.0.3 Cloud Foundry Container Runtime CFCR All versions prior to v0.29.0 Docker BOSH Release All versions prior to v34.0.0 Garden runC All version...

CVE-2019-3800: CF CLI writes the client id and secret to config file | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. CF CLI All versions prior to v6.45.0 CF CLI Release All versions prior to v1.16.0 CF Networking Release All versions Prior to v2.23.0 CF Routing Release All...

USN-4662-1: OpenSSL vulnerability | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description David Benjamin discovered that OpenSSL incorrectly handled comparing certificates containing a EDIPartyName name type. A remote attacker could possibly use this issue to cause OpenSSL...

USN-3977-1: Intel Microcode update (AKA ZombieLoad Attack) | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Description Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietr...

CVE-2014-3566 SSLV3 POODLE | Cloud Foundry

CVE-2014-3566 SSLV3 POODLE Moderate Vendor The SSL protocol 3.0, as used in OpenSSL through 1.0.1i Versions Affected SSLv3 Description SSL 3.0 RFC6101 is an obsolete and insecure protocol. While for most practical purposes it has been replaced by its successors TLS 1.0 RFC2246, TLS 1.1 RFC4346 an...

USN-3981-2: Linux kernel (HWE) vulnerabilities (AKA ZombieLoad Attack) | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description USN-3981-1 fixed vulnerabilities in the Linux kernel for Ubuntu 18.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 18.04 LTS for Ubuntu 16.04...

USN-5658-1: DHCP vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Canonical Ubuntu 22.04 Description It was discovered that DHCP incorrectly handled option reference counting. A remote attacker could possibly use this issue to cause DHCP servers to crash, resulting in a denial of...

CVE-2017-5638: Apache Struts Remote Code Execution | Cloud Foundry

Severity Advisory/Critical Vendor Apache Versions Affected Apache Struts 2: 2.3.x versions prior to 2.3.32 2.5.x versions prior to 2.5.10.1 Description The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 1 mishandles file upload, which allows remote...

CVE-2014-6271 and CVE-2014-7169 - ShellShock | Cloud Foundry

CVE-2014-6271 and CVE-2014-7169 – ShellShock Important Vendor Canonical Ubuntu, CentOS Versions Affected Canonical Ubuntu 10.04 LTS that include bash CentOS 6.5 that include bash Description GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment...

USN-3538-1: OpenSSH vulnerabilities | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Jann Horn discovered that OpenSSH incorrectly loaded PKCS11 modules from untrusted directories. A remote attacker could possibly use this issue to execute arbitrary PKCS11 modules. This issue only affected...

CVE-2016-6638: Credential Vulnerability for Custom Buildpacks | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Versions Affected cf-release versions prior to 245 Please note: this CVE was intended to be fixed in cf-release 241 but it was discovered that the fix was incomplete, which was assigned CVE-2016-6658. Description Applications can be configured and...

USN-5570-1: zlib vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Evgeny Legerov discovered that zlib incorrectly handled memory when performing certain inflate operations. An attacker could use this issue to cause zlib to crash, resulting in a...

USN-4008-2: AppArmor update | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description USN-4008-1 fixed multiple security issues in the Linux kernel. This update provides the corresponding changes to AppArmor policy for correctly operating under the Linux kernel with fixes for CVE-2019-1119...

USN-2985-2 GNU C Library regression | Cloud Foundry

USN-2985-2 GNU C Library regression Medium Vendor GNU C, Canonical Ubuntu Versions Affected Ubuntu 14.04 LTS Description USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for CVE-2014-9761 introduced a regression which affected applications that use the libm library but were not full...

USN-3968-1: Sudo vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Description Florian Weimer discovered that Sudo incorrectly handled the noexec restriction when used with certain applications. A local attacker could possibly use this issue to bypass configured restrictions and...

USN-3982-2: Linux kernel (Xenial HWE) vulnerabilities (AKA ZombieLoad Attack) | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3982-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 for Ubuntu 14.04 LTS...

USN-3899-1: OpenSSL vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 16.04 Canonical Ubuntu 18.04 Description Juraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that certain applications incorrectly used OpenSSL and could be exposed to a padding oracle attack. A remote attacker...

USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.04...

USN-3977-2: Intel Microcode update (AKA ZombieLoad Attack) | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Canonical Ubuntu 16.04 Description USN-3977-1 provided mitigations for Microarchitectural Data Sampling MDS vulnerabilities in Intel Microcode for a large number of Intel processor families. This update provides the...

USN-5318-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description Nick Gregory discovered that the Linux kernel incorrectly handled network offload functionality. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. CVE-2022-256...

Various HTTP2 CVEs: Some Cloud Foundry products are impacted by HTTP denial of service attacks | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Description Some Cloud Foundry products, through their consumption of imperfect HTTP2 implementations, are impacted by various HTTP vulnerabilities, including Data Dribble, Ping Flood, Resource Loop, Reset Flood, Settings Flood, 0-Length Headers Leak,...

CVE-2019-11271: Bosh Deployment logs leak sensitive information | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions BOSH 270 versions prior to v270.1.1 Description Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Director that does not properly redact credentials when configured to use a MySQL...