Cloud Foundry products uses vulnerable versions of Java
Severity
Critical
Vendor
Cloud Foundry
Affected Cloud Foundry Products and Versions
Severity is Critical unless otherwise noted.
- Credhub
- 1.7.x prior to 1.7.9
- 1.9.x prior to 1.9.9
- 2.1.x prior to 2.1.2
- Java Buildpack
- All versions prior to 4.16.1
- Ruby Buildpack
- All versions prior to 1.7.25
- UAA Release
- All versions prior to 66.0
Description
Cloud Foundry products use a vulnerable version of Java. The vulnerabilities in java and versions affected are listed in CVE-2018-3149, CVE-2018-3183, CVE-2018-3214, and CVE-2018-3180.
Mitigation
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- Credhub: 1.7.9, 1.9.9, 2.1.2
- Java Buildpack: 4.16.1
- Ruby Buildpack: 1.7.25
- UAA Release: 66.0
- Restage any apps using the Java Buildpack or Ruby Buildpack after upgrading the buildpacks to the appropriate version.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3180
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3214
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3183
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3149
History
2019-2-4: Initial vulnerability report published