Severity
Critical
Vendor
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- capi-release versions 1.33.0 and later, prior to 1.42.0
- cf-release versions 268 and later, prior to 274
- Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.
Description
The original fix for CVE-2017-8033 included in CAPI-release 1.33.0 introduces a regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially-crafted application.
Mitigation
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- capi-release: 1.42.0 [1]
- cf-release: v274 [2]
- Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.
Credit
This issue was responsibly reported by the GE Digital Security Team.
References
History
2017-09-25: Initial vulnerability report published.
2017-09-26: Note about cf-release v274 added.