CVE-2016-4435 BOSH Agent Anonymous Endpoint


Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected
  • BOSH stemcell versions prior to 3232.6 and 3146.13
Description

An endpoint of the Agent running on the BOSH Director VM may allow unauthenticated clients to read or write blobs or cause a denial of service attack on the Director VM. This vulnerability requires that the unauthenticated clients guess or find a URL matching an existing GUID.

Affected Pivotal Products and Versions
  • BOSH stemcell versions prior to 3232.6 and 3146.13
  • Pivotal Elastic Runtime 1.6.x versions prior to 1.6.27 AND 1.7.x versions prior to 1.7.5
  • Pivotal Ops Manager 1.6.x versions prior to 1.6.15 AND 1.7.x versions prior to 1.7.6
  • Pivotal MySQL 1.6.x versions prior to 1.6.12 AND 1.7.x versions prior to 1.7.9 AND edge release versions prior to 1.8.0-edge.7
  • Pivotal RiakCS 1.5.x versions prior to 1.5.13
  • Pivotal RabbitMQ 1.5.x versions prior to 1.5.12 AND 1.6.x versions prior to 1.6.1
  • Pivotal Redis 1.4.x versions prior to 1.4.25 AND 1.5.x versions prior to 1.5.14
  • Pivotal Push Notification Service 1.4.x versions prior to 1.4.9
  • PCF Metrics 1.0.x versions prior to 1.0.6
  • PCF Metrics: Log Search 1.x versions prior to 1.0.0
  • PCF Metrics: JMX Bridge 1.7.x versions prior to 1.7.3
  • Pivotal Single Sign On 1.x versions prior to 1.13 AND 1.1.x versions prior to 1.1.1
  • Pivotal Spring Cloud Services 1.0.x versions prior to 1.0.10
Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade BOSH stemcell versions to 3232.6 and 3146.13
  • Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.27 or later OR 1.7.x versions to 1.7.5 or later
  • Upgrade Pivotal Ops Manager 1.6.x versions to 1.6.15 or later OR 1.7.x versions to 1.7.6 or later
  • Upgrade Pivotal MySQL to 1.6.12 or later 1.6.x versions OR 1.7.x versions to 1.7.9 or later OR edge versions 1.8.0-edge.7 or later
  • Upgrade Pivotal RiakCS 1.5.x versions to 1.5.13 or later
  • Upgrade Pivotal RabbitMQ 1.5.x versions to 1.5.12 or later OR 1.6.x versions to 1.6.1 or later
  • Upgrade Pivotal Redis 1.4.x versions to 1.4.25 or later OR 1.5.x versions to 1.5.14 or later
  • Upgrade Pivotal Push Notification Service 1.4.x versions to 1.4.9
  • Upgrade PCF Metrics 1.0.x versions to 1.0.6 or later
  • Upgrade PCF Metrics: Log Search 1.x versions to 1.0.0 or later
  • Upgrade PCF Metrics: JMX Bridge 1.7.x versions to 1.7.3 or later
  • Upgrade Pivotal Single Sign On 1.x versions to 1.13 or later OR 1.1.x versions to 1.1.1 or later
  • Upgrade Pivotal Spring Cloud Services 1.0.x versions to 1.0.10 or later

Special Note for 1.7.x Ops Manager Deployments

The 1.7.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.

Credit

This issue was identified by a Pivotal team and reported responsibly to the Cloud Foundry Foundation.

References