CVE-2017-4964: BOSH Azure CPI code injection vulnerability | Cloud Foundry

2017-04-04T00:00:00
ID CFOUNDRY:07A96707EBA835B7D8CFD929B13CE180
Type cloudfoundry
Reporter Cloud Foundry
Modified 2017-04-04T00:00:00

Description

**Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected

  • BOSH Azure CPI Release v22

Description

The BOSH Azure CPI could potentially allow a maliciously crafted stemcell to execute arbitrary code on VMs created by the director.

Mitigation

OSS users are strongly encouraged to follow the mitigation below:

  • Update your BOSH Director to use v23 [1] or later of the Azure CPI release

Credit

Paul Nikonowicz and Sunjay Bhatia

References

  • [1] <https://github.com/cloudfoundry-incubator/bosh-azure-cpi-release/releases/tag/v23>

History

2017-04-04: Initial vulnerability report published