CVE-2016-9885 gfsh exposed over go router for GemFire for PCF
The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters is unencrypted. An attacker could run any command available on
gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster.
Severity is critical unless otherwise noted.
- GemFire for PCF:
- 1.6.x versions prior to 1.6.5
- 1.7.x versions prior to 1.7.1
Users of affected versions should apply the following mitigation:
- Upgrade GemFire for PCF:
- 1.6.x versions to 1.6.5 or later
- 1.7.x versions to 1.7.1 or later
- After upgrading, we recommend connection to
gfshfrom a jumpbox inside of your network. Refer to the GemFire documentation for more information.
- Use a load balancer in front of the go router to limit the access to the
gfshendpoint such as in the reference architecture provided here.
This issue was responsibly reported by the GemFire for PCF team.
2017-01-04: Initial vulnerability report published