All Vulnerability Reports

CVE-2017-4975: Tile generator sets open security groups


Severity

High

Vendor

Pivotal

Description

Tiles created by the PCF Tile Generator create a running open security group that overrides security groups set by the operator.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • PCF Tile Generator versions prior to 6.0.0

Affected Partner Products and Versions

Severity is high unless otherwise noted.

  • Aerospike Service Broker for PCF versions prior to 1.0.1
  • AppDynamics Service Broker for PCF versions prior to 1.2.1
  • All versions of Azuqua Platform Connector for PCF
  • Blue Medora Nozzle for PCF versions prior to 1.2.0
  • All versions of Cloudflare Service Broker for PCF (BETA)
  • Cloudsoft Service Broker for PCF (BETA) versions prior to 1.2.0
  • Dynatrace Service Broker for PCF versions prior to 1.2.2
  • EDB Postgres Service Broker for PCF versions prior to 1.0.15
  • First Data Payments Service Broker for PCF (BETA) versions prior to 1.0.2
  • ForgeRock Service Broker for PCF versions prior to 2.0.1
  • GCP Service Broker for PCF versions prior to 3.3.2
  • GCP Stackdriver Nozzle for PCF versions prior to 1.0.3
  • Gluon Cloud Cloudlink Service Broker for PCF (BETA) versions prior to 0.9.1
  • Guardtime Blockchain Service Broker for PCF (BETA) versions prior to 0.0.8
  • All versions of Guardtime Blockchain Service Broker for PCF (BETA)
  • Honeycomb Nozzle for PCF (BETA) versions prior to 0.1.1
  • Microsoft Azure Service Broker for PCF versions prior to 1.2.2
  • New Relic Service Broker for PCF:
    • All versions prior to 1.7.1
    • 1.8.x versions prior to 1.8.1
    • 1.9.x versions prior to 1.9.1
  • PagerDuty Service Broker for PCF (BETA) versions prior to 0.0.2
  • Signal Sciences Service Broker for PCF (BETA) versions prior to 0.0.26
  • SignalFx Monitoring and Alerting for PCF (BETA) versions prior to 0.9.1
  • Solace Messaging for PCF versions prior to 1.0.1
  • Stardog Service Broker for PCF (BETA) versions prior to 0.9.2

Mitigation

Users of affected versions should apply the following mitigation:

  • For existing installations:
  • For new installations, releases that have fixed this issue include:
    • Aerospike Service Broker for PCF: 1.0.1
    • AppDynamics Service Broker for PCF: 1.2.1
    • Blue Medora Nozzle for PCF: 1.2.0
    • Dynatrace Service Broker for PCF: 1.2.2
    • Cloudsoft Service Broker for PCF (BETA) : 1.2.0
    • EDB Postgres Service Broker for PCF: 1.0.15
    • First Data Payments Service Broker for PCF (BETA): 1.0.2
    • ForgeRock Service Broker for PCF: 2.0.1
    • GCP Service Broker for PCF: 3.3.2
    • GCP Stackdriver Nozzle for PCF: 1.0.3
    • Gluon Cloud Cloudlink Service Broker for PCF (BETA) : 0.9.1
    • Guardtime Blockchain Service Broker for PCF (BETA): 0.0.8
    • Honeycomb Nozzle for PCF (BETA): 0.1.1
    • Microsoft Azure Service Broker for PCF: 1.2.2
    • New Relic Service Broker for PCF: 1.7.1, 1.8.1, 1.9.1
    • PagerDuty Service Broker for PCF (BETA): 0.0.2
    • Signal Sciences Service Broker for PCF (BETA): 0.0.26
    • SignalFx Monitoring and Alerting for PCF (BETA): 0.9.1
    • Solace Messaging for PCF: 1.0.1
    • Stardog Service Broker for PCF (BETA): 0.9.2
  • Note: if a tile is not listed in this section, a new version is not yet available. This page will be updated as more tiles are released.

References

History

2017-05-15: Initial vulnerability report published