[QSA-0709191] ZeroMQ vulnerability

Qlustar Security Advisory 0709191

July 9th, 2019

Summary:

ZeroMQ is vulnerable to denial of service attacks or possible remote code execution.

    Package(s)       : zeromq, zeromq3
    Qlustar releases : 10.1, 11.0
    Affected versions: All versions prior to this update
    Vulnerability    : denial of service/possible remote code execution
    Problem type     : network
    Qlustar-specific : no
    CVE Id(s)        : CVE-2019-13132
  

Relevant to Qlustar 11.0 and 10.1

zeromq vulnerability

A remote, unauthenticated client connecting to a libzmq application, running with a socket listening with CURVE encryption/authentication enabled, may cause a stack overflow and overwrite the stack with arbitrary data, due to a buffer overflow in the library.

Users running public Qlustar head-nodes are highly encouraged to upgrade as soon as possible, as there are no known mitigations.

Update instructions:

The problem can be corrected by updating your system to the following Qlustar package versions (follow the Qlustar Update Instructions):

For Qlustar 11.0

    libzmq5                                    4.2.5-1+ql.2+11-bionic           
  

For Qlustar 10.1

    libzmq5                                    4.2.3-ql.4+10-xenial
  

Note that the new package needs to be installed only on the head-node(s). After installing the new libzmq5 package, restart the qluman router as follows:

$ service qluman-router restart