CVE-2018-1267: Silk permits routing to all applications if ASG overlaps with overlay network
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using Silk release version prior to 0.2.0
- You are using cf-deployment with experimental ops file ‘use-silk-release.yml’ version prior to 1.21.0
Cloud Foundry Silk CNI plugin, versions prior to 0.2.0, contains an improper access control vulnerability. If the platform is configured with an application security group (ASG) that overlaps with the Silk overlay network, any applications can reach any other application on the network regardless of the configured routing policies.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- Silk release 0.2.0
- cf-deployment 1.21.0
This issue was responsibly reported by the CF Networking team.
2018-03-26: Clarified issue description
2018-03-26: Initial vulnerability report published.