CVE-2016-9880 Unauthenticated access to GemFire for PCF broker endpoints
Severity
High
Vendor
Pivotal
Description
The GemFire broker for Cloud Foundry has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker.
Affected VMware Products and Versions
- GemFire for PCF:
- 1.6.x versions prior to 1.6.5
- 1.7.x versions prior to 1.7.1
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade GemFire for PCF
- 1.6.x versions to 1.6.5 or later
- 1.7.x versions to 1.7.1 or later
Please note: GemFire for PCF is not available to all users. Please see the download instructions on Pivotal Network [1] for more information.
Credit
This issue was responsibly reported by the GemFire for PCF team.
References
History
2017-02-09: Initial vulnerability report published