USN-6539-1: python-cryptography vulnerabilities

Operations Manager

2 more products

24798

07 August 2024

23 July 2024

CLOSED

MEDIUM

CVE-2023-23931;CVE-2023-49083

Severity

medium

Vendor

VMware Tanzu

Versions Affected

  • Canonical Ubuntu 22.04

It was discovered that the python-cryptography Cipher.update_into function would incorrectly accept objects with immutable buffers. This would result in corrupted output, contrary to expectations. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. (CVE-2023-23931) It was dicovered that python-cryptography incorrectly handled loading certain PKCS7 certificates. A remote attacker could possibly use this issue to cause python-cryptography to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10. (CVE-2023-49083) Update Instructions: Run `sudo pro fix USN-6539-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: python3-cryptography - 3.4.8-1ubuntu2.1 python-cryptography-doc - 3.4.8-1ubuntu2.1 No subscription required.

Fixed and Unaffected VMware Products and Versions

  • CF Deployment
    • All unaffected
  • Jammy Stemcells
    • 1.327 or greater
  • Operation Manager
    • 3.0.22+LTS-T or greater
  • Isolation Segment
    • 6.0.x unaffected
  • MySQL for VMware Tanzu
    • 3.3.x unaffected
  • VMware Tanzu Application Service for VMs
    • 6.0.x unaffected
  • Redis for Pivotal Platform
    • 3.4.x unaffected
  • VMware Tanzu Kubernetes Grid Integrated Edition
    • 1.19.x unaffected
  • VMware Tanzu RabbitMQ
    • 2.3.x unaffected

References

https://ubuntu.com/security/notices/USN-6539-1

https://www.cloudfoundry.org/blog/usn-6539-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6539-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24798

History

2023-12-06: Initial vulnerability report published.