All Vulnerability Reports

CVE-2019-3786: BBR could run arbitrary scripts on deployment VMs


Severity

High

Vendor

Pivotal Cloud Foundry

Description

Pivotal Cloud Foundry BOSH Backup and Restore CLI, all versions prior to 1.5.0, does not check the authenticity of backup scripts in BOSH. A remote authenticated malicious user can modify the metadata file of a Bosh Backup and Restore job to request extra backup files from different jobs upon restore. The exploited hooks in this metadata script were only maintained in the cfcr-etcd-release, so clusters deployed with the BBR job for etcd in this release are vulnerable.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • BOSH Backup and Restore versions prior to v1.5.0

Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • BOSH Backup and Restore
      • v1.5.0 or greater
    • Pivotal Container Service (PKS)
      • Upgrade PKS 1.2.x to 1.2.12 or greater to have functional backup and restore with BBR v1.5.0 or greater
      • Upgrade PKS 1.3.x to 1.3.7 or greater to have functional backup and restore with BBR v1.5.0 or greater
      • PKS 1.4.0 and greater are unaffected by this vulnerability

References

History

2019-07-18: Initial vulnerability report published