Cloud Foundry Logo
blog single gear
Security Advisory

Cloud Foundry products uses vulnerable versions of Java

Cloud Foundry products uses vulnerable versions of Java

Severity

Critical

Vendor

Cloud Foundry

Affected Cloud Foundry Products and Versions

Severity is Critical unless otherwise noted.

  • Credhub
    • 1.7.x prior to 1.7.9
    • 1.9.x prior to 1.9.9
    • 2.1.x prior to 2.1.2
  • Java Buildpack
    • All versions prior to 4.16.1
  • Ruby Buildpack
    • All versions prior to 1.7.25
  • UAA Release
    • All versions prior to 66.0

Description

Cloud Foundry products use a vulnerable version of Java. The vulnerabilities in java and versions affected are listed in CVE-2018-3149, CVE-2018-3183, CVE-2018-3214, and CVE-2018-3180.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • Credhub: 1.7.9, 1.9.9, 2.1.2
    • Java Buildpack: 4.16.1
    • Ruby Buildpack: 1.7.25
    • UAA Release: 66.0
  • Restage any apps using the Java Buildpack or Ruby Buildpack after upgrading the buildpacks to the appropriate version.

References

History

2019-2-4: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES