1109 matches found
CVE-2016-5016 UAA accepts expired certificates | Cloud Foundry
CVE-2016-5016 UAA accepts expired certificates High Vendor Cloud Foundry Foundation Versions Affected Cloud Foundry release v239 and earlier versions UAA release v3.4.1 and earlier versions UAA release V12.2 and earlier versions Description UAA uses the OpenJDK Java Runtime Environment TrustManag...
CVE-2016-5006 Cloud Controller API logs user-provided service credentials | Cloud Foundry
CVE-2016-5006 Cloud Controller API logs user-provided service credentials High Vendor Cloud Foundry Foundation Versions Affected Cloud Foundry releases prior to v239 Description When creating a user-provided service UPS in Cloud Foundry, the Cloud Controller logs the entire UPS object including t...
USN-3012-1 Wget vulnerability | Cloud Foundry
USN-3012-1 Wget vulnerability Medium Vendor Canonical Ubuntu, wget Versions Affected Canonical Ubuntu 14.04 LTS Description Dawid Golunski discovered that Wget incorrectly handled filenames when being redirected from an HTTP to an FTP URL. A malicious server could possibly use this issue to...
CVE-2016-4450 Nginx Vulnerabilities | Cloud Foundry
CVE-2016-4450 Nginx Vulnerabilities Medium Vendor nginx, Cloud Foundry Versions Affected nginx before 1.10.1 and 1.11.x versions before 1.11.1 Cloud Foundry staticfile buildpack prior to version 1.3.9 Cloud Foundry cf-release prior to version 238 Description os/unix/ngxfiles.c in nginx before...
USN-3010-1 Expat vulnerabilities | Cloud Foundry
USN-3010-1 Expat vulnerabilities Medium Vendor expat – XML parsing C library, Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description It was discovered that Expat unexpectedly called srand in certain circumstances. This could reduce the security of calling applications...
USN 3020-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry
USN 3020-1 Linux kernel Vivid HWE vulnerabilities Low – High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Jesse Hertz and Tim Newsham discovered that the Linux netfilter implementation did not correctly perform validation when handling 32 bit compatibility...
CVE-2016-4468 UAA SQL Injection | Cloud Foundry
High Vendor Cloud Foundry Foundation Versions Affected Cloud Foundry release v237 and earlier versions UAA release v3.4.0 and earlier versions UAA release V12 and earlier versions Description There is the potential for a SQL injection attack in UAA for authenticated users. Mitigation OSS users ar...
USN-3001-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry
USN-3001-1 Linux kernel Vivid HWE vulnerabilities High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux kernel incorrectly enables scatter/gather I/O. A remote attacker could use this to...
CVE-2016-4435 BOSH Agent Anonymous Endpoint | Cloud Foundry
CVE-2016-4435 BOSH Agent Anonymous Endpoint Medium Vendor Cloud Foundry Foundation Versions Affected BOSH stemcell versions prior to 3232.6 and 3146.13 Description An endpoint of the Agent running on the BOSH Director VM may allow unauthenticated clients to read or write blobs or cause a denial o...
USN-2966-1 OpenSSH vulnerabilities | Cloud Foundry
USN-2966-1 OpenSSH vulnerabilities Low Vendor Canonical Ubuntu, openssh Versions Affected Canonical Ubuntu 14.04 LTS Description Shayan Sadigh discovered that OpenSSH incorrectly handled environment files when the UseLogin feature is enabled. A local attacker could use this issue to gain...
USN-2994-1 libxml2 vulnerabilities | Cloud Foundry
USN-2994-1 libxml2 vulnerabilities Medium Vendor GNOME XML library, Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Multiple researchers discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a...
USN-2991-1 nginx vulnerability | Cloud Foundry
USN-2991-1 nginx vulnerability Medium Vendor Nginx, Canonical Ubuntu Versions Affected BOSH-release versions prior to 255.11 Description It was discovered that nginx incorrectly handled saving client request bodies to temporary files. A remote attacker could possibly use this issue to cause nginx...
USN-2990-1 ImageMagick vulnerability (a.k.a. ImageTragick) | Cloud Foundry
USN-2990-1 ImageMagick vulnerability a.k.a. ImageTragick Medium Vendor Imagemagick, Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly sanitized untrusted input. A remote attacker could use these issues to...
USN-2961-1 Little CMS vulnerability | Cloud Foundry
USN-2961-1 Little CMS vulnerability Medium Vendor Little CMS, Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description It was discovered that a double free could occur when the intent handling code in the Little CMS library detected an error. An attacker could use this to special...
USN-2985-2 GNU C Library regression | Cloud Foundry
USN-2985-2 GNU C Library regression Medium Vendor GNU C, Canonical Ubuntu Versions Affected Ubuntu 14.04 LTS Description USN-2985-1 fixed vulnerabilities in the GNU C Library. The fix for CVE-2014-9761 introduced a regression which affected applications that use the libm library but were not full...
USN-2983-1 Expat vulnerability | Cloud Foundry
USN-2983-1 Expat vulnerability Medium Vendor Expat, Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Gustavo Grieco discovered that Expat incorrectly handled malformed XML data. If a user or application linked against Expat were tricked into opening a crafted XML file, an...
USN-2981-1 libarchive vulnerabilities | Cloud Foundry
USN-2981-1 libarchive vulnerabilities Medium Vendor Libarchive, Canonical Ubuntu Versions Affected Ubuntu 14.04 LTS Description It was discovered that libarchive incorrectly handled certain entry-size values in ZIP archives. A remote attacker could use this issue to cause libarchive to crash,...
USN-2987-1 GD library vulnerabilities | Cloud Foundry
USN-2987-1 GD library vulnerabilities Medium Vendor libgd2, Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description It was discovered that the GD library incorrectly handled certain color tables in XPM images. If a user or automated system were tricked into processing a speciall...
CVE-2013-7456 and CVE-2016-5093 PHP vulnerabilities | Cloud Foundry
CVE-2013-7456 and CVE-2016-5093 PHP vulnerabilities Low Vendor PHP Versions Affected Cloud Foundry PHP buildpack versions prior to 4.3.14 Description Several out-of-bounds reads were discovered in PHP and its dependencies that could cause memory leaks or other unexpected conditions. Mitigation...
USN-2970-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry
USN-2970-1 Linux kernel Vivid HWE vulnerabilities Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Ralf Spenneberg discovered that the Aiptek Tablet USB device driver in the Linux kernel did not properly sanity check the endpoints reported by the device. An...
CVE-2016-3084 UAA Password Reset Vulnerability | Cloud Foundry
CVE-2016-3084 UAA Password Reset Vulnerability Low Vendor Cloud Foundry Foundation Versions Affected Cloud Foundry release v236 and earlier versions UAA release v3.3.0 and earlier versions All versions of Login-server UAA release v10 and earlier versions Description The UAA reset password flow is...
USN-2977-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry
USN-2977-1 Linux kernel Vivid HWE vulnerabilities High Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Philip Pettersson discovered that the Linux kernel’s ASN.1 DER decoder did not properly process certificate files with tags of indefinite length. A local...
CVE-2016-3091 Diego log encoding vulnerability | Cloud Foundry
CVE-2016-3091 Diego log encoding vulnerability High Vendor Cloud Foundry Foundation Versions Affected Diego-release versions 0.1468.0 through 0.1470.0 Description Due to how Diego handles breaking up large log streams on UTF-8 boundaries, it is possible to cause a denial of service on a Cloud...
USN-2949-1 Linux kernel (Vivid HWE) vulnerabilities | Cloud Foundry
USN-2949-1 Linux kernel Vivid HWE vulnerabilities Low/Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 14.04 LTS Description Venkatesh Pottem discovered a use-after-free vulnerability in the Linux kernel’s CXGB3 driver. A local attacker could use this to cause a denial of service...
USN-2957-1 Libtasn1 vulnerability | Cloud Foundry
USN-2957-1 Libtasn1 vulnerability Medium Vendor Canonical Ubuntu, Libtasn1 Versions Affected Ubuntu 14.04 LTS Description Pascal Cuoq and Miod Vallat discovered that Libtasn1 incorrectly handled certain malformed DER certificates. A remote attacker could possibly use this issue to cause...
USN-2935-2 PAM regression | Cloud Foundry
USN-2935-2 PAM regression Low Vendor Ubuntu Versions Affected Ubuntu 14.04 LTS Description USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. USN-2935-2 fixes the problem. Original issues from USN-2935-1: It...
USN-2959-1 OpenSSL vulnerabilities | Cloud Foundry
USN-2959-1 OpenSSL vulnerabilities High Vendor Canonical Ubuntu, OpenSSL Versions Affected Canonical Ubuntu 14.04 LTS, OpenSSLv1 Description Huzaifa Sidhpurwala, Hanno Böck, and David Benjamin discovered that OpenSSL incorrectly handled memory when decoding ASN.1 structures. A remote attacker cou...
CVE-2015-5170-5173 UAA Vulnerabilities | Cloud Foundry
CVE-2015-5170-5173 UAA Vulnerabilities Low Vendor Cloud Foundry Foundation Versions Affected cf-release versions v215 & prior UAA versions 2.5.1 & prior Description CSRF Attack on PWS. It is possible to log the user into another account instead of the account they intended to log into because of...
Samba and Windows Vulnerabilities | Cloud Foundry
Samba and Windows Vulnerabilities Medium Vendor Samba, Microsoft Windows Versions Affected The following versions of Samba are affected: 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, and 4.4.0. The affected Microsoft Windows versions can be viewed here:...
USN-2916-1 Perl vulnerabilities | Cloud Foundry
USN-2916-1 Perl vulnerabilities Medium Vendor Ubuntu, Perl Versions Affected Ubuntu 14.04 LTS Description Several security issues were fixed in Perl. It was discovered that Perl incorrectly handled certain regular expressions with an invalid back-reference. An attacker could use this issue to cau...
USN-2925-1 Bind9 vulnerabilities | Cloud Foundry
USN-2925-1 Bind9 vulnerabilities Medium Vendor Ubuntu, Bind9 Versions Affected Ubuntu 14.04 LTS Description Bind could be made to crash if it received specially crafted network traffic. It was discovered that Bind incorrectly handled input received by the rndc control channel. A remote attacker...
USN-2938-1 Git vulnerabilities | Cloud Foundry
USN-2938-1 Git vulnerabilities High Vendor Ubuntu, Git Versions Affected All Git versions prior to 2.7.4 Description Git could be made to crash or run programs as your login if it received changes from a specially crafted remote repository. Laël Cellier discovered that Git incorrectly handled pat...
Warning about NPM modules | Cloud Foundry
Warning about NPM modules Advisory Vendor Node Package Manager NPM Versions Affected Cloud Foundry NodeJS Buildpack Description If your app developers deploy Node applications, we’d like to alert you to recent developments with NPM and module ownership in the Node community. A blog post was...
USN-2919-1 JasPer vulnerabilities | Cloud Foundry
USN-2919-1 JasPer vulnerabilities Medium Vendor Ubuntu, JasPer Versions Affected Ubuntu 14.04 LTS Description Jacob Baines discovered that JasPer incorrectly handled ICC color profiles in JPEG-2000 image files. If a user were tricked into opening a specially crafted JPEG-2000 image file, a remote...
USN-2927-1 Graphite2 vulnerabilities | Cloud Foundry
USN-2927-1 Graphite2 vulnerabilities Medium Vendor Graphite2 Versions Affected Ubuntu 14.04 Description Graphite2 could be made to crash or run programs as your login if it opened a specially crafted font. It was discovered that graphite2 incorrectly handled certain malformed fonts. If a user or...
USN-2918-1 Pixman vulnerabilities | Cloud Foundry
USN-2918-1 Pixman vulnerabilities Medium Vendor Ubuntu, Pixman Versions Affected Ubuntu 14.04 LTS Description Pixman could be made to crash or run programs as your login if it processed specially crafted data. Vincent LE GARREC discovered an integer underflow in pixman. If a user were tricked int...
USN-2914-1 OpenSSL vulnerabilities | Cloud Foundry
USN-2914-1 OpenSSL vulnerabilities Low Vendor Ubuntu, OpenSSL Versions Affected Ubuntu 14.04 LTS SSLv1 Description Several security issues were fixed in OpenSSL. Yuval Yarom, Daniel Genkin, and Nadia Heninger discovered that OpenSSL was vulnerable to a side-channel attack on modular exponentiatio...
USN-2939-1 LibTIFF vulnerabilities | Cloud Foundry
USN-2939-1 LibTIFF vulnerabilities Low Vendor Ubuntu, LibTIFF Versions Affected Ubuntu 14.04 Description LibTIFF could be made to crash or run programs as your login if it opened a specially crafted file. It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or...
CVE-2016-2165 Loggregator Request URL Paths | Cloud Foundry
Severity Medium Vendor Cloud Foundry Foundation, VMware Cloud Foundry Versions Affected cf-release v231 and lower Description The Loggregator Traffic Controller endpoints are not cleansing request URL paths when they are invalid and is returning them in the 404 response. This could allow maliciou...
USN-2932-1 Linux kernel vulnerabilities | Cloud Foundry
USN-2932-1 Linux kernel vulnerabilities High Vendor Ubuntu Description Ben Hawkes discovered that the Linux netfilter implementation did not correctly perform validation when handling IPTSOSETREPLACE events. A local unprivileged attacker could use this to cause a denial of service system crash or...
CVE-2016-0800 & CVE-2016-0703 OpenSSL vulnerabilities | Cloud Foundry
CVE-2016-0800 & CVE-2016-0703 OpenSSL vulnerabilities High Vendor OpenSSL Versions Affected SSLv2 Description The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possess...
USN-2910-1 Linux kernel vulnerability | Cloud Foundry
USN-2910-1 Linux kernel vulnerability High Vendor Ubuntu Versions Affected Ubuntu 14.04 Description halfdog discovered that OverlayFS, when mounting on top of a FUSE mount, incorrectly propagated file attributes, including setuid. A local unprivileged attacker could use this to gain privileges...
CVE-2016-0761 Docker Image Host Files Corruption | Cloud Foundry
CVE-2016-0761 Docker Image Host Files Corruption Critical Vendor Cloud Foundry Foundation Description Garden linux contains a flaw in managing container files during Docker image preparation that could be used to delete, corrupt or overwrite host files and directories, including other container...
USN-2900-1 GNU libc vulnerability | Cloud Foundry
USN-2900-1 GNU libc vulnerability High Vendor glibc Versions Affected Ubuntu 14.04 Description It was discovered that the GNU C Library incorrectly handled receiving responses while performing DNS resolution. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in...
CVE-2016-0732 Privilege Escalation | Cloud Foundry
CVE-2016-0732 Privilege Escalation Critical Vendor Cloud Foundry Foundation Versions Affected Cloud Foundry v208 through v229 UAA v2.0.0 – v2.7.3 & v3.0.0 UAA-Release v2 through v4 Description A privilege elevation vulnerability has been identified with the identity zones feature of UAA. Users wi...
CVE-2016-0713: Gorouter XSS | Cloud Foundry
Severity Medium Vendor Cloud Foundry Foundation Description A vulnerability has been discovered in the gorouter process that allows a cross-site-scripting XSS attack. Should a malicious actor intermediate requests from clients to the router, modifying the request to contain malicious code, this...
USN-2871-1 Linux kernel vulnerability | Cloud Foundry
USN-2871-1 Linux kernel vulnerability High Vendor Ubuntu Versions Affected Ubuntu 14.04 Description Yevgeny Pats discovered that the session keyring implementation in the Linux kernel did not properly reference count when joining an existing session keyring. A local attacker could use this to cau...
CVE-2016-0715 Remote Information Disclosure | Cloud Foundry
CVE-2016-0715 Remote Information Disclosure Critical Vendor Cloud Foundry Foundation Versions Affected Cloud Foundry v166 through v227 Cloud Foundry Java Buildpack v2.0 through v3.4 Description Original mitigation configuration instructions provided as part of CVE-2016-0708 were incomplete and...
USN-2861-1 libpng vulnerability | Cloud Foundry
USN-2861-1 libpng vulnerability Medium Vendor libpng Versions Affected Ubuntu 14.04 Description It was discovered that libpng incorrectly handled certain small bit-depth values. If a user or automated system using libpng were tricked into opening a specially crafted image, an attacker could explo...
USN-2869-1 OpenSSH vulnerability | Cloud Foundry
USN-2869-1 OpenSSH vulnerability High Vendor OpenSSH Versions Affected Ubuntu 14.04 Description It was discovered that the OpenSSH client experimental support for resuming connections contained multiple security issues. A malicious server could use this issue to leak client memory to the server,...