USN-2990-1 ImageMagick vulnerability (a.k.a. ImageTragick)

Severity

Medium

Vendor

Imagemagick, Canonical Ubuntu

Versions Affected

Canonical Ubuntu 14.04 LTS

Description

Nikolay Ermishkin and Stewie discovered that ImageMagick incorrectly sanitized untrusted input. A remote attacker could use these issues to execute arbitrary code. These issues are known as 'ImageTragick'. This update disables problematic coders via the /etc/ImageMagick-6/policy.xml configuration file. In certain environments the coders may need to be manually re-enabled after making sure that ImageMagick does not process untrusted input. (CVE-2016-3714, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717, CVE-2016-3718)

Bob Friesenhahn discovered that ImageMagick allowed injecting commands via an image file or filename. A remote attacker could use this issue to execute arbitrary code. (CVE-2016-5118)

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

All versions of Cloud Foundry cflinuxfs2 prior to v.1.65.0
Pivotal Elastic Runtime 1.6.x versions prior to 1.6.27 AND 1.7.x versions prior to 1.7.5

Mitigation

Users of affected versions should apply the following mitigation:

The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.65.0 or later versions
Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.27 OR 1.7.x versions to 1.7.5

Credit

Stewie, Nikolay Ermishkin, Bob Friesenhahn