CVE-2017-8048: Cloud Controller API regression

By: | September 25, 2017

Share

CVE-2017-8048: Cloud Controller API regression

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • capi-release versions 1.33.0 and later, prior to 1.42.0
  • cf-release versions 268 and later, prior to 274
    • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Description

The original fix for CVE-2017-8033 included in CAPI-release 1.33.0 introduces a regression that allows a space developer to execute arbitrary code on the Cloud Controller VM by pushing a specially-crafted application.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • capi-release: 1.42.0 [1]
    • cf-release: v274 [2]
      • Please note: due to a bug in 274, it is not recommended for production use. Deployments should use v275 or later.

Credit

This issue was responsibly reported by the GE Digital Security Team.

References

History

2017-09-25: Initial vulnerability report published.

2017-09-26: Note about cf-release v274 added.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES