Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2019-3786: BBR could run arbitrary scripts on deployment VMs

CVE-2019-3786: BBR could run arbitrary scripts on deployment VMs




Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • BOSH Backup and Restore
    • All versions prior to v1.5.0


Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.


Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • BOSH Backup and Restore
    • Upgrade All versions to v1.5.0 or greater
  • Cloud Foundry Container Runtime
    • Upgrade cfcr-etcd-release to 1.10.0 or greater to have functional backup and restore with BBR v1.5.0 or greater


2019-04-08: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR