SB2019102915 - Multiple vulnerabilities in OpenAFS

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2019-18601)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can make a series of VOTE_Debug RPC calls to crash a database server within the "SVOTE_Debug RPC" handler.

2) Information disclosure (CVE-ID: CVE-2019-18603)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to uninitialized RPC output variables are sent over the network to a peer. A remote attacker can gain unauthorized access to sensitive information on the system.

3) Information disclosure (CVE-ID: CVE-2019-18602)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to uninitialized scalars are sent over the network to a peer. A remote attacker can gain unauthorized access to sensitive information on the system.

Remediation

Install update from vendor's website.

References

• https://lists.debian.org/debian-lts-announce/2019/11/msg00002.html
• https://openafs.org/pages/security/OPENAFS-SA-2019-003.txt
• https://openafs.org/pages/security/OPENAFS-SA-2019-001.txt
• https://openafs.org/pages/security/OPENAFS-SA-2019-002.txt