Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-4964: BOSH Azure CPI code injection vulnerability

CVE-2017-4964: BOSH Azure CPI code injection vulnerability

Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected

  • BOSH Azure CPI Release v22

Description

The BOSH Azure CPI could potentially allow a maliciously crafted stemcell to execute arbitrary code on VMs created by the director.

Mitigation

OSS users are strongly encouraged to follow the mitigation below:

  • Update your BOSH Director to use v23 [1] or later of the Azure CPI release

Credit

Paul Nikonowicz and Sunjay Bhatia

References

History

2017-04-04: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES