[QSA-0624192] Security Update Bundle

Qlustar Security Advisory 0624192

June 24th, 2019


Summary:

A Qlustar security update bundle is a cumulative update of packages that are taken from upstream Debian/Ubuntu without modification. Only packages that are used in a typical HPC/Storage cluster installation are mentioned in Qlustar Security Advisories. Other non-HPC related updates also enter the Qlustar repository, but their functionality is not separately verified by the Qlustar team. To track these updates subscribe to the general security mailing lists of Debian/Ubuntu and/or CentOS.


    Package(s)       : see upstream description of individual package
    Qlustar releases : 10.1, 11.0
    Affected versions: All versions prior to this update
    Vulnerability    : see upstream description of individual package
    Problem type     : see upstream description of individual package
    Qlustar-specific : no
    CVE Id(s)        : see upstream description of individual package
  

This update includes several security related package updates from Debian/Ubuntu and CentOS. The following list provides references to the upstream security report of the corresponding packages. You can view the original upstream advisory by clicking on the corresponding title.

Relevant to Qlustar 11.0 and 10.1

bzip2 vulnerabilities

Aladdin Mubaied discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Qlustar 10.1.

It was discovered that bzip2 incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.

ImageMagick vulnerability

It was discovered that ImageMagick incorrectly handled certain malformed image files. If a user or automated system using ImageMagick were tricked into opening a specially crafted image, an attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program.

Vim vulnerabilities

It was discovered that Vim incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Qlustar 10.1.

It was discovered that Vim incorrectly handled certain files. An attacker could possibly use this issue to execute arbitrary code.

CentOS 7.6 security updates

Please check the CentOS mailing list for details about CentOS 7 updates that entered this release (everything before June 23rd, 2019).

Relevant to Qlustar 10.1 only

DBus vulnerability

Joe Vennix discovered that DBus incorrectly handled DBUS_COOKIE_SHA1 authentication. A local attacker could possibly use this issue to bypass authentication and connect to DBus servers with elevated privileges.

GLib vulnerability

It was discovered that GLib incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information.

PHP vulnerabilities

It was discovered that PHP incorrectly handled certain exif tags in images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly obtain sensitive information.

It was discovered that PHP incorrectly decoding certain MIME headers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service.

It was discovered that PHP incorrectly handled certain exif tags in images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.

Berkeley DB vulnerability

It was discovered that Berkeley DB incorrectly handled certain inputs. An attacker could possibly use this issue to read sensitive information.

Corosync vulnerability

It was discovered that Corosync incorrectly handled certain requests. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

GnuTLS vulnerabilities

Eyal Ronen, Kenneth G. Paterson, and Adi Shamir discovered that GnuTLS was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could possibly use this issue to perform plaintext-recovery attacks via analysis of timing data.

curl vulnerabilities

It was discovered that curl incorrectly handled memory when receiving data from a TFTP server. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code.

QEMU update

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Giorgi Maisuradze, Dan Horea Lutas, Andrei Lutas, Volodymyr Pikhur, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida, Moritz Lipp, Michael Schwarz, and Daniel Gruss discovered that memory previously stored in microarchitectural fill buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.

Brandon Falk, Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that memory previously stored in microarchitectural load ports of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Marina Minkin, Daniel Moghimi, Moritz Lipp, Michael Schwarz, Jo Van Bulck, Daniel Genkin, Daniel Gruss, Berk Sunar, Frank Piessens, and Yuval Yarom discovered that memory previously stored in microarchitectural store buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.

Kurtis Miller discovered that a buffer overflow existed in QEMU when loading a device tree blob. A local attacker could use this to execute arbitrary code.

Ke Sun, Henrique Kawakami, Kekai Hu, Rodrigo Branco, Volodrmyr Pikhur, Moritz Lipp, Michael Schwarz, Daniel Gruss, Stephan van Schaik, Alyssa Milburn, Sebastian Österlund, Pietro Frigo, Kaveh Razavi, Herbert Bos, and Cristiano Giuffrida discovered that uncacheable memory previously stored in microarchitectural buffers of an Intel CPU core may be exposed to a malicious process that is executing on the same CPU core. A local attacker could use this to expose sensitive information.

William Bowling discovered that an information leak existed in the SLiRP networking implementation of QEMU. An attacker could use this to expose sensitive information.

Samba vulnerability

Isaac Boukris and Andrew Bartlett discovered that Samba incorrectly checked S4U2Self packets. In certain environments, a remote attacker could possibly use this issue to escalate privileges.

OpenJDK vulnerabilities

It was discovered that the BigDecimal implementation in OpenJDK performed excessive computation when given certain values. An attacker could use this to cause a denial of service (excessive CPU usage).

Corwin de Boor and Robert Xiao discovered that the RMI registry implementation in OpenJDK did not properly select the correct skeleton class in some situations. An attacker could use this to possibly escape Java sandbox restrictions.

Mateusz Jurczyk discovered a vulnerability in the 2D component of OpenJDK. An attacker could use this to possibly escape Java sandbox restrictions.

Mateusz Jurczyk discovered a vulnerability in the font layout engine of OpenJDK’s 2D component. An attacker could use this to possibly escape Java sandbox restrictions.

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions in addition to the package versions mentioned in the upstream reports (follow the Qlustar Update Instructions):

For Qlustar 11.0

    qlustar-module-core-bionic-amd64-11.0.0    11.0.0.1-b514f1258
    qlustar-module-core-centos7-amd64-11.0.0   11.0.0.1-b514f1257
  

For Qlustar 10.1

    qlustar-module-core-xenial-amd64-10.1.1    10.1.1.5-b509f1256