© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
I want to limit the discussion here to the security exposure and the CVEs. Any build or multiOS concerns need to be handled separately and can be discussed openly on the mailing list.
The CVEs in question are:
- CVE-2016-6902: Base Score 9.0 HIGH Vector: (AV:N/AC:
https:/
- CVE-2016-6903: Base Score 9.0 HIGH Vector: (AV:N/AC:
https:/
Given the base vector score of 9.0 and the access vector is network with low complexity, these CVEs need to be evaluated further.
My understanding is that this software has limited use during config_controller (This needs to be confirmed). It is not running in general and does not sit on an open port on the OAM interface. The open ports on this interface were reviewed as part of the Threat Model and the SAFE review. Given that network access is not provided, these threats do not exists in a running titanium system. The only way to access the shell is on the system itself which means you already have access to the system.
Ken Young Opinion:
1/ This issue is low priority.
2/ Should not drive an immediate fix because of these CVEs