CVE-2017-14388: GrootFS doesn’t validate DiffIDs

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

GrootFS release
- 0.3.x versions prior to 0.30.0

Description

GrootFS does not validate DiffIDs, allowing specially crafted images to poison the grootfs volume cache. For example, this could allow an attacker to provide an image layer that GrootFS would consider to be the Ubuntu base layer.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

Releases that have fixed this issue include:
- GrootFS release: 0.30.0

Credit

This issue was responsibly reported by the GrootFS team.

References

https://github.com/cloudfoundry/grootfs-release/releases

History

2017-10-09: Initial vulnerability report published.

CVE-2017-14388: GrootFS doesn’t validate DiffIDs

CVE-2017-14388: GrootFS doesn’t validate DiffIDs

Severity

Vendor

Affected Cloud Foundry Products and Versions

Description

Mitigation

Credit

References

History

You Might Also Like

USN-3454-1: libffi vulnerability

USN-5613-1: Vim vulnerabilities

USN-6138-1: libssh vulnerabilities

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!