Severity
CVSS Score: High 8.9 (CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
CVSSv3: High 7.1 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Vendor
BOSH-Ecosystem / BOSH (bosh-cli)
Versions Affected
*Severity is High unless otherwise noted.
bosh-cli
– All versions prior to v7.10.4
Description
During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM’s DAV blobstore over HTTPS without verifying the server certificate, even though a CA certificate for that endpoint is available in the installation manifest. A network attacker can terminate the TLS connection, harvest the Basic-auth credentials, and read the rendered-templates archive containing every bootstrap secret for the new BOSH Director — then replay the credentials against the real VM’s agent for root code execution.
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
bosh-cli
– Upgrade bosh-cli to v7.10.4 or greater
Credit
This issue was responsibly reported by VMware Tanzu by Broadcom.
History
July 8th: Initial vulnerability report published.
