USN-6640-1: shadow vulnerability

Operations Manager

2 more products

24673

07 August 2024

15 July 2024

CLOSED

LOW

CVE-2023-4641

Severity

low

Vendor

VMware Tanzu

Versions Affected

  • Canonical Ubuntu 18.04
  • Cflinuxfs3

Description

It was discovered that shadow was not properly sanitizing memory when running the password utility. An attacker could possibly use this issue to retrieve a password from memory, exposing sensitive information. Update Instructions: Run `sudo pro fix USN-6640-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: passwd - 1:4.2-3.1ubuntu5.5+esm4 login - 1:4.2-3.1ubuntu5.5+esm4 uidmap - 1:4.2-3.1ubuntu5.5+esm4 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.

Fixed VMware Products and Versions

  • Platform Automation Toolkit
    • 4.4.32 or greater
    • 5.0.25 or greater
    • 5.1.2 or greater
  • Tanzu Greenplum for Kubernetes
    • 2.0.0 or greater
  • CF Deployment
    • 30.0.0 or greater
  • Operation Manager Image
    • 2.10.71 or greater
  • Operation Manager
    • 2.10.71 or greater
  • Xenial Stemcells
    • 621.872 or greater

References

https://ubuntu.com/security/notices/USN-6640-1

https://www.cloudfoundry.org/blog/usn-6640-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6640-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24673

History

2024-02-15: Initial vulnerability report published.