CVE-2016-4435 BOSH Agent Anonymous Endpoint

Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected

BOSH stemcell versions prior to 3232.6 and 3146.13

Description

An endpoint of the Agent running on the BOSH Director VM may allow unauthenticated clients to read or write blobs or cause a denial of service attack on the Director VM. This vulnerability requires that the unauthenticated clients guess or find a URL matching an existing GUID.

Affected Products and Versions

BOSH stemcell versions prior to 3232.6 and 3146.13

Mitigation

Users of affected versions should apply the following mitigation:

Upgrade BOSH stemcell versions to 3232.6 and 3146.13

Credit

This issue was identified by a VMware team and reported responsibly to the Cloud Foundry Foundation.

References

[1] http://bosh.io

CVE-2016-4435 BOSH Agent Anonymous Endpoint

Severity

Vendor

Versions Affected

Description

Affected Products and Versions

Mitigation

Credit

References

You Might Also Like

USN-4414-1: Linux kernel vulnerabilities

USN-4049-4: GLib regression

USN-3746-1: APT vulnerability

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!