Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-8036: Cloud Controller API regression

CVE-2017-8036: Cloud Controller API regression

Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected

  • CAPI-release version 1.33.0 only

Description

The original fix for CVE-2017-8033 included in CAPI-release 1.33.0 introduces a regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially-crafted application.

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

  • Note: The affected version of CAPI-release was not included in any cf-release.
  • Standalone component users should upgrade CAPI-release to v1.35.0 or later. [1]

Credit

This vulnerability was responsibly reported by the CAPI team.

References

History

2017-07-19: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES