All Vulnerability Reports

USN-6381-1: GNU binutils vulnerabilities

Severity

Medium

Vendor

VMware Tanzu

Versions Affected

• Canonical Ubuntu 16.04
• Canonical Ubuntu 18.04

Description

It was discovered that a memory leak existed in certain GNU binutils modules. An attacker could possibly use this issue to cause a denial of service (memory exhaustion). (CVE-2020-19724, CVE-2020-21490) It was discovered that GNU binutils was not properly performing bounds checks in several functions, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service, expose sensitive information or execute arbitrary code. (CVE-2020-19726, CVE-2021-46174, CVE-2022-45703) It was discovered that GNU binutils was not properly initializing heap memory when processing certain print instructions. An attacker could possibly use this issue to expose sensitive information. (CVE-2020-35342) It was discovered that GNU binutils was not properly handling the logic behind certain memory management related operations, which could lead to a buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-44840) It was discovered that GNU binutils was not properly handling the logic behind certain memory management related operations, which could lead to an invalid memory access. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-47695) Update Instructions: Run `sudo pro fix USN-6381-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: binutils-dev - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-powerpc-linux-gnuspe - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-arm-linux-gnueabihf - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-hppa64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-multiarch - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-mipsel-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-m68k-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-s390x-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-multiarch-dev - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-doc - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-sh4-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-mips64-linux-gnuabi64 - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-aarch64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-source - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-mips64el-linux-gnuabi64 - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-mips-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-powerpc64le-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-powerpc64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-hppa-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-sparc64-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-arm-linux-gnueabi - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-alpha-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils-powerpc-linux-gnu - 2.26.1-1ubuntu1~16.04.8+esm7 binutils - 2.26.1-1ubuntu1~16.04.8+esm7 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro

CVEs contained in this USN include: CVE-2020-19724, CVE-2020-19726, CVE-2020-21490, CVE-2020-35342, CVE-2021-46174, CVE-2022-44840, CVE-2022-45703, CVE-2022-47695

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

• Platform Automation Toolkit
  • 4.0.x versions prior to 4.0.13
  • 4.1.x versions prior to 4.1.13
  • 4.2.x versions prior to 4.2.8
  • 4.3.x versions prior to 4.3.5

• Isolation Segment
  • 2.11.x versions prior to 2.11.40, or later versions with Xenial Stemcells prior to 621.687
  • 2.13.x versions prior to 2.13.25, or later versions with Xenial Stemcells prior to 621.687
  • 3.0.x versions prior to 3.0.18
  • 4.0.x versions prior to 4.0.10+LTS-T

• Operations Manager
  • 2.10.x versions prior to 2.10.62

• VMware Tanzu Application Service for VMs
  • 2.11.x versions prior to 2.11.46, or later versions with Xenial Stemcells prior to 621.687
  • 2.13.x versions prior to 2.13.28, or later versions with Xenial Stemcells prior to 621.687
  • 3.0.x versions prior to 3.0.18
  • 4.0.x versions prior to 4.0.10+LTS-T

Mitigation

Users of affected products are strongly encouraged to follow the mitigation below. On the Tanzu Network product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include:

• Platform Automation Toolkit
  • 4.0.13
  • 4.1.13
  • 4.2.8
  • 4.3.5

• Isolation Segment
  • 2.11.40, and upgrade Xenial Stemcells to 621.687 or greater
  • 2.13.25, and upgrade Xenial Stemcells to 621.687 or greater
  • 3.0.18
  • 4.0.10+LTS-T

• Operations Manager
  • 2.10.62

• VMware Tanzu Application Service for VMs
  • 2.11.46, and upgrade Xenial Stemcells to 621.687 or greater
  • 2.13.28, and upgrade Xenial Stemcells to 621.687 or greater
  • 3.0.18
  • 4.0.10+LTS-T

References

• https://ubuntu.com/security/CVE-2020-19724
• https://ubuntu.com/security/CVE-2020-19726
• https://ubuntu.com/security/CVE-2020-21490
• https://ubuntu.com/security/CVE-2020-35342
• https://ubuntu.com/security/CVE-2021-46174
• https://ubuntu.com/security/CVE-2022-44840
• https://ubuntu.com/security/CVE-2022-45703
• https://ubuntu.com/security/CVE-2022-47695
• https://ubuntu.com/security/notices/USN-6381-1

History

2023-10-18: Initial vulnerability report published.