CVE-2017-8048: Cloud Controller API regression

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

capi-release versions 1.33.0 and later, prior to 1.42.0
cf-release versions 268 and later, prior to 274
- Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Description

The original fix for CVE-2017-8033 included in CAPI-release 1.33.0 introduces a regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially-crafted application.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

Releases that have fixed this issue include:
- capi-release: 1.42.0 [1]
- cf-release: v274 [2]
  - Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Credit

This issue was responsibly reported by the GE Digital Security Team.

References

History

2017-09-25: Initial vulnerability report published.

2017-09-26: Note about cf-release v274 added.

CVE-2017-8048: Cloud Controller API regression

CVE-2017-8048: Cloud Controller API regression

Severity

Vendor

Affected Cloud Foundry Products and Versions

Description

Mitigation

Credit

References

History

You Might Also Like

USN-3222-1: ImageMagick vulnerabilities

CVE-2017-8048: Cloud Controller API regression

USN-6655-1: GNU binutils vulnerabilities

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!