USN-3711-1: ImageMagick vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. All versions of Cloud Foundry cflinuxfs2 prior to 1.225.0 Mitigation OSS users are strongly encouraged to follow one...

USN-3690-1: AMD Microcode update | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via sidechannel attacks. This flaw is known as Spectre. A local attacker...

USN-3707-1: NTP vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue on...

USN-3706-1: libjpeg-turbo vulnerabilities | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is low unless otherwise noted. All versions of Cloud Foundry cflinuxfs2 prior to 1.224.0 Mitigation OSS users are strongly encouraged to follow one of th...

USN-3690-2: AMD Microcode regression | Cloud Foundry

Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3690-1 provided updated microcode for AMD processors to address CVE-2017-5715 aka Spectre. Unfortunately, the update caused some systems to fail to boot. This update reverts the update for Ubuntu 14.04 LTS. We...

CVE-2018-11047: UAA accepts refresh token as access token on admin endpoints | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using uaa versions 4.19 prior to 4.19.2, 4.12 prior to 4.12.4, 4.10 prior to 4.10.2, 4.7 prior to 4.7.6, 4.5 prior to 4.5.7 You are using uaa-release versions v60 prior to v60.2, v57 prior to v57.4,...

USN-3692-1: OpenSSL vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. CVE-2018-0495 Guido...

USN-3689-1: Libgcrypt vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. Cloud Foundry BOSH stemcells are vulnerable, including: 3586.x versions prior to 3586.25 3541.x versions prior to...

USN-3693-1: JasPer vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. All versions of Cloud Foundry cflinuxfs2 prior to 1.222.0 Mitigation OSS users are strongly encouraged to follow one...

USN-3696-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3696-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

CVE-2018-11041: UAA open redirect | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using uaa versions later than 4.6.0 and prior to 4.19.0, except 4.10.1 and 4.7.5 You are using uaa-release versions later than v48 and prior to v60, except v57.3, v55.1 and v52.9 Description Cloud...

USN-3676-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3676-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

USN-3684-1: Perl vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. Cloud Foundry BOSH stemcells are vulnerable, including: 3586.x versions prior to 3586.24 3541.x versions prior to...

USN-3675-1: GnuPG vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft...

USN-3686-1: file vulnerabilities | Cloud Foundry

Severity Low Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Alexander Cherepanov discovered that file incorrectly handled a large number of notes. An attacker could use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. CVE-2014-9620...

USN-3671-1: Git vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Etienne Stalmans discovered that git did not properly validate git submodules files. A remote attacker could possibly use this to craft a git repo that causes arbitrary code execution when “git clone...

USN-3681-1: ImageMagick vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could...

CVE-2018-1265: Diego does not properly sanitize file paths in tar/zip files | Cloud Foundry

Severity Critical Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using diego-release versions prior to 2.8.0 You are using cf-deployment versions prior to v1.37.0 Description Cloud Foundry Diego, release versions prior to 2.8.0, does not properly sanitize fil...

CVE-2018-1269: Loggregator does not properly close some TCP connections | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using loggregator-release Version 89.x prior to 89.5 Version 96.x prior to 96.1 Version 99.x prior to 99.1 Version 101.x prior to 101.9 Version 102.x prior to 102.2 Description Cloud Foundry...

USN-3643-1: Wget vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. Cloud Foundry BOSH stemcells are vulnerable, including: 3363.x versions prior to 3363.62 3421.x versions prior to...

USN-3658-1: procps-ng vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description It was discovered that the procps-ng top utility incorrectly read its configuration file from the current working directory. A local attacker could possibly use this issue to escalate privileges...

USN-3648-1: curl vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Dario Weisser discovered that curl incorrectly handled long FTP server command replies. If a user or automated system were tricked into connecting to a malicious FTP server, a remote attacker could use th...

USN-3654-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3654-1 fixed vulnerabilities and added mitigations in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16....

CVE-2018-1268: Loggregator lacks app GUID validation | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using loggregator-release Version 89.x prior to 89.5 Version 96.x prior to 96.1 Version 99.x prior to 99.1 Version 101.x prior to 101.9 Version 102.x prior to 102.2 Description Cloud Foundry...

USN-3641-1: Linux kernel vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. A local attacker could use this to cause a denial of service system crash. This...

CVE-2018-1193: gorouter accepts user-provided X-Forwarded-Proto headers  | Cloud Foundry

Severity Low Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using routing-release versions prior to 0.175.0 You are using cf-deployment versions prior to v1.27.0 Description Cloud Foundry routing-release, versions prior to 0.175.0, lacks sanitization for...

CVE-2018-1276: Windows2012R2 stemcell exposes IaaS metadata on vSphere | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using Windows 2012R2 stemcells versions prior to 1200.17 Description Windows 2012R2 stemcells, versions prior to 1200.17, contain an information exposure vulnerability on vSphere. A remote user wi...

CVE-2018-1262: UAA privilege escalation across identity zones | Cloud Foundry

Severity Critical Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using uaa-release versions v57, v57.1 or v58 You are using uaa versions 4.12.x or 4.13.x You are using cf-deployment versions v1.27.0 through v1.31.0 Description UAA, versions 4.12.X and 4.13.X,...

USN-3631-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3631-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.0...

USN-3624-1: Patch vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description It was discovered that Patch incorrectly handled certain files. An attacker could possibly use this to cause a denial of service. CVE-2016-10713 It was discovered that Patch incorrectly handled certain...

USN-3625-1: Perl vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description It was discovered that Perl incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause Perl to hang, resulting in a denial of service. This issue only affected...

USN-3628-1: OpenSSL vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key generation. An attacker could possibly use this issue to...

USN-3622-1: Wayland vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description It was discovered that the Wayland Xcursor support incorrectly handled certain files. An attacker could use these issues to cause Wayland to crash, resulting in a denial of service, or possibly execute...

USN-3569-1: libvorbis vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description It was discovered that libvorbis incorrectly handled certain sound files. An attacker could possibly use this to execute arbitrary code. CVE-2017-14632 It was discovered that libvorbis incorrectly handled...

USN-3602-1: LibTIFF vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. All versions of Cloud Foundry cflinuxfs2 prior to 1.192.0 Mitigation OSS users are strongly encouraged to follow one...

USN-3610-1: ICU vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. Cloud Foundry BOSH stemcells are vulnerable, including: 3363.x versions prior to 3363.53 3421.x versions prior to...

USN-3619-2: Linux kernel (Xenial HWE) vulnerabilities | Cloud Foundry

Severity High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3619-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement HWE kernel from Ubuntu 16.04 LTS for Ubuntu 14.04...

USN-3586-1: DHCP vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Konstantin Orekhov discovered that the DHCP server incorrectly handled a large number of concurrent TCP sessions. A remote attacker could possibly use this issue to cause a denial of service. This issue...

USN-3606-1: LibTIFF vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. All versions of Cloud Foundry cflinuxfs2 prior to 1.195.0 Mitigation OSS users are strongly encouraged to follow one...

USN-3584-1: sensible-utils vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. Cloud Foundry BOSH stemcells are vulnerable, including: 3363.x versions prior to 3363.51 3421.x versions prior to...

USN-3611-1: OpenSSL vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. Cloud Foundry BOSH stemcells are vulnerable, including: 3363.x versions prior to 3363.53 3421.x versions prior to...

USN-3604-1: libvorbis vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Affected Cloud Foundry Products and Versions Severity is medium unless otherwise noted. All versions of Cloud Foundry cflinuxfs2 prior to 1.194.0 Mitigation OSS users are strongly encouraged to follow one...

USN-3346-2: Bind regression | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description USN-3346-1 fixed vulnerabilities in Bind. The fix for CVE-2017-3142 introduced a regression in the ability to receive an AXFR or IXFR in the case where TSIG is used and not every message is signed. This...

CVE-2018-1277: Garden does not correctly enforce Docker image disc quotas | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using garden-runc-release version prior to 1.13.0 You are using cf-deployment version prior to 1.28.0 Description Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc...

MS-ISAC: 2018-046 - Multiple Vulnerabilities in PHP | Cloud Foundry

Severity Critical Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using php-buildpack prior to version 4.3.53 Description Multiple upstream vulnerabilities have been discovered in all supported PHP versions in the PHP buildpack. MS-ISAC reports that the most...

USN-3598-1: curl vulnerabilities | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 Description Phan Thanh discovered that curl incorrectly handled certain FTP paths. An attacker could use this to cause a denial of service or possibly execute arbitrary code. CVE-2018-1000120 Dario Weisser discovered...

CVE-2018-1191 - Garden may log Docker passwords | Cloud Foundry

Severity High Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using garden-runc-release prior to version 1.11.0 You are using cf-deployment prior to version 1.9.0 Description Cloud Foundry Garden-runC, versions prior to 1.11.0, contains an information exposure...

CVE-2018-1231: BOSH CLI does not restrict access to configuration file | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using BOSH CLI version prior to v3.0.1 Description Cloud Foundry BOSH CLI, versions prior to v3.0.1, contains an improper access control vulnerability. A user with access to an instance using the...

CVE-2018-1266: Cloud Controller file modification via malicious application | Cloud Foundry

Severity Critical Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using Cloud Controller version prior to 1.52.0 You are using cf-deployment version prior to 1.21.0 Description Cloud Foundry Cloud Controller, versions prior to 1.52.0, contains information...

CVE-2018-1267: Silk permits routing to all applications if ASG overlaps with overlay network | Cloud Foundry

Severity Medium Vendor Cloud Foundry Foundation Affected Cloud Foundry Products and Versions You are using Silk release version prior to 0.2.0 You are using cf-deployment with experimental ops file ‘use-silk-release.yml’ version prior to 1.21.0 Description Cloud Foundry Silk CNI plugin, versions...