USN-2639-1 OpenSSL vulnerabilities
- Ubuntu 14.04
It was discovered that OpenSSL incorrectly handled memory when buffering DTLS data. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.
The Cloud Foundry project has released a cf-release version 212 that has the patched version of the OpenSSL.
Pivotal is releasing Pivotal Elastic Runtime 1.5.1 with this patched cf-release. The other Pivotal Cloud Foundry products do not expose this vulnerability to users of the system.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- All versions of Cloud Foundry cf-release 211 and prior have versions of OpenSSL to USN-2639-1
- Pivotal CF Elastic Runtime 1.5.0 and earlier versions
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments run with cf-release 212 or later when they are available, which contain the patched version of OpenSSL that resolves USN-2639-1.
- Pivotal recommends that customers upgrade to Pivotal CF Elastic Runtime 1.5.1 or later as the versions become available.
Praveen Kariyanahalli, Ivan Fratric and Felix Groebert