CVE-2015-1330 Unattended-Upgrades Vulnerability
- Canonical Ubuntu 14.04 LTS
It was found that for some configurations, unattended-upgrades would not properly perform authentication checks on packages prior to installation. An attacker could thus trick unattended-upgrades into installing altered packages.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Any Cloud Foundry deployment with Ubuntu Trusty BOSH stemcells 3003 and prior.
- Pivotal Cloud Foundry Elastic Runtime 1.4.5 and prior.
Users of affected versions should apply the following mitigation:
- BOSH stemcell 3004 contains the patched version of unattended-upgrades that resolves CVE-2015-1330. The Cloud Foundry team recommends upgrading to BOSH stemcell 3004 or higher to address this concern.
- Pivotal Cloud Foundry Elastic Runtime will incorporate the patched version of unattended-upgrades in the next regularly-scheduled patch release of Pivotal Cloud Foundry Elastic Runtime, currently planned for 8/4/15.