USN-3010-1 Expat vulnerabilities
Severity
Medium
Vendor
expat - XML parsing C library, Canonical Ubuntu
Versions Affected
- Canonical Ubuntu 14.04 LTS
Description
It was discovered that Expat unexpectedly called srand in certain circumstances. This could reduce the security of calling applications. (CVE-2012-6702)
It was discovered that Expat incorrectly handled seeding the random number generator. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-5300)
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- All versions of Cloud Foundry cflinuxfs2 prior to v.1.67.0
- Pivotal Elastic Runtime 1.6.x versions prior to 1.6.33 AND 1.7.x versions prior to 1.7.11
Mitigation
Users are strongly encouraged to follow the mitigation below:
- The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.67.0 or later versions
- Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.33 OR 1.7.x versions to 1.7.11