Lucene search

Cloud FoundryCFOUNDRY:7ABCAE7E25EC5DC69D622315D9BE6721

HistoryMay 01, 2017 - 12:00 a.m.

USN-3246-1: Eject vulnerability | Cloud Foundry

2017-05-0100:00:00

Cloud Foundry

www.cloudfoundry.org

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

25.1%

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 14.04

Description

Ilja Van Sprundel discovered that dmcrypt-get-device incorrectly checked setuid and setgid return values. A local attacker could use this issue to execute code as an administrator.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

Cloud Foundry BOSH stemcells are vulnerable, including:
- 3151.x versions prior to 3151.16
- 3263.x versions prior to 3263.24
- 3312.x versions prior to 3312.24
- 3363.x versions prior to 3363.20
- All other stemcells not listed.
All versions of Cloud Foundry cflinuxfs2 prior to 1.112.0

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

The Cloud Foundry project recommends upgrading the following BOSH stemcells:
- Upgrade 3151.x versions to 3151.16 or later
- Upgrade 3263.x versions to 3263.24 or later
- Upgrade 3312.x versions to 3312.24 or later
- Upgrade 3363.x versions to 3363.20 or later
- All other stemcells should be upgraded to the latest version.
The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 versions 1.112.0 or later.