CVE-2016-9880 Unauthenticated access to GemFire for PCF broker endpoints


Severity

High

Vendor

Pivotal

Description

The GemFire broker for Cloud Foundry has multiple API endpoints which do not require authentication and could be used to gain access to the cluster managed by the broker.

Affected Pivotal Products and Versions
  • GemFire for PCF:
    • 1.6.x versions prior to 1.6.5
    • 1.7.x versions prior to 1.7.1
Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade GemFire for PCF
    • 1.6.x versions to 1.6.5 or later
    • 1.7.x versions to 1.7.1 or later

Please note: GemFire for PCF is not available to all users. Please see the download instructions on Pivotal Network [1] for more information.

Credit

This issue was responsibly reported by the GemFire for PCF team.

References
History

2017-02-09: Initial vulnerability report published