[QSA-0709191] ZeroMQ vulnerability
Qlustar Security Advisory 0709191
July 9th, 2019
ZeroMQ is vulnerable to denial of service attacks or possible remote code execution.
Package(s) : zeromq, zeromq3 Qlustar releases : 10.1, 11.0 Affected versions: All versions prior to this update Vulnerability : denial of service/possible remote code execution Problem type : network Qlustar-specific : no CVE Id(s) : CVE-2019-13132
Relevant to Qlustar 11.0 and 10.1
A remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library.
Users running public Qlustar head-nodes are highly encouraged to upgrade as soon as possible, as there are no known mitigations.
The problem can be corrected by updating your system to the following Qlustar package versions (follow the Qlustar Update Instructions):
For Qlustar 11.0
For Qlustar 10.1
Note that the new package needs to be installed only on the head-node(s). After installing the new libzmq5 package, restart the qluman router as follows:
$ service qluman-router restart