CVE-2018-1277: Garden does not correctly enforce Docker image disc quotas
Severity
High
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using garden-runc-release version prior to 1.13.0
- You are using cf-deployment version prior to 1.28.0
Description
Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctly enforce disc quotas for Docker image layers. A remote authenticated user may push an app with a malicious Docker image that will consume more space on a Diego cell than allocated in their quota, potentially causing a DoS against the cell.
Mitigation
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- garden-runc-release version 1.13.0
- cf-deployment version 1.28.0
Credit
This issue was responsibly reported by the Garden team.
History
2018-04-30: Initial vulnerability report published.