Lucene search

K
cloudfoundryCloud FoundryCFOUNDRY:D97B7403D1F1D9F4704AEED97161AA02
HistorySep 25, 2017 - 12:00 a.m.

CVE-2017-8048: Cloud Controller API regression | Cloud Foundry

2017-09-2500:00:00
Cloud Foundry
www.cloudfoundry.org
29

0.001 Low

EPSS

Percentile

33.2%

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • capi-release versions 1.33.0 and later, prior to 1.42.0
  • cf-release versions 268 and later, prior to 274
    • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Description

The original fix for CVE-2017-8033 included in CAPI-release 1.33.0 introduces a regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially-crafted application.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • capi-release: 1.42.0 [1]
    • cf-release: v274 [2]
      • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Credit

This issue was responsibly reported by the GE Digital Security Team.

References

History

2017-09-25: Initial vulnerability report published.

2017-09-26: Note about cf-release v274 added.

0.001 Low

EPSS

Percentile

33.2%

Related for CFOUNDRY:D97B7403D1F1D9F4704AEED97161AA02