CVE-2016-6655 Utility Script Command Injection


Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected
  • Cloud Foundry release versions prior to v245
  • cf-mysql-release versions prior to v31
Description

A command injection vulnerability was discovered in a common script used by many Cloud Foundry components. A malicious user may exploit numerous vectors to execute arbitrary commands on servers running Cloud Foundry.

Affected Pivotal Products and Versions
  • PCF Ops Manager 1.7.x versions prior to 1.7.15 AND 1.8.x versions prior to 1.8.6
  • PCF Elastic Runtime versions prior to 1.6.44 AND 1.7.x versions prior to 1.7.27 AND 1.8.x versions prior to 1.8.7
  • Redis for PCF 1.6.x versions prior to 1.6.2
  • MySQL for PCF 1.7.x versions 1.7.11 through 1.7.15 and 1.8.x versions 1.8.0-edge.9 through 1.8.0-edge.12
  • RabbitMQ for PCF 1.6.x versions prior to 1.6.9
Mitigation

OSS users are strongly encouraged to follow the mitigations below:

  • Upgrade to Cloud Foundry v245 [1] or later
  • Upgrade to cf-mysql-release v31 [2] or later

Users of affected Pivotal Products are strongly encouraged to follow the mitigations below:

  • Upgrade PCF Ops Manager 1.7.x versions to 1.7.15 or later OR 1.8.x versions to 1.8.6 or later.
  • Upgrade PCF Elastic Runtime to version 1.6.44 or later OR 1.7.x versions to 1.7.27 or later OR 1.8.x versions to 1.8.7 or later
  • Upgrade Redis for PCF 1.6.x versions to 1.6.2 or later
  • Upgrade MySQL for PCF 1.7.x versions to 1.7.16 and 1.8.x versions to 1.8.0-edge.13
  • Upgrade RabbitMQ for PCF 1.6.x versions to 1.6.9 or later

Credit

IBM Bluemix Team

References