CVE-2016-0780 Cloud Controller Disk Quota Enforcement


Severity

High

Vendor

Cloud Foundry Foundation and Pivotal Cloud Foundry

Versions Affected
  • cf-release v231 and lower
  • Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 AND 1.6.x versions prior to 1.6.18
Description

It was discovered that Cloud Foundry does not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/CELLs causing a potential denial of service for other applications.

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to cf-release v233 [1] (cf-release v232 is not recommended for use)
  • Upgrade Pivotal Cloud Foundry Elastic Runtime 1.5.x versions to 1.5.17 or later OR 1.6.x versions to 1.6.18 or later
Credit

Fujitsu Limited

References
History

2016-Mar-23: Initial vulnerability report published