USN-4920-1: ZeroMQ vulnerabilities

15 June 2022

Several security issues were fixed in ZeroMQ.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • zeromq3 - lightweight messaging kernel

Details

It was discovered that ZeroMQ incorrectly handled certain application
metadata. A remote attacker could use this issue to cause ZeroMQ to crash,
or possibly execute arbitrary code. (CVE-2019-13132)

It was discovered that ZeroMQ mishandled certain network traffic. An
unauthenticated attacker could use this vulnerability to cause a denial-of-
service and prevent legitimate clients from communicating with ZeroMQ.
(CVE-2020-15166)

It was discovered that ZeroMQ did not properly manage memory under certain
circumstances. If a user or automated system were tricked into connecting
to one or multiple compromised servers, a remote attacker could use this
issue to cause a denial of service. (CVE-2021-20234)

It was discovered that ZeroMQ incorrectly handled memory when processing
messages with arbitrarily large sizes under certain circumstances. A remote
unauthenticated attacker could use this issue to cause a ZeroMQ server to crash,
resulting in a denial of service, or possibly execute arbitrary code. This issue
only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-20235)

It was discovered that ZeroMQ did not properly manage memory under certain
circumstances. A remote unauthenticated attacker could use this issue to
cause a ZeroMQ server to crash, resulting in a denial of service. This issue
only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-20237)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04
Ubuntu 18.04
Ubuntu 16.04
Ubuntu 14.04

In general, a standard system update will make all the necessary changes.

Related notices