USN-2617-1 FUSE Vulnerability


Severity

Moderate

Vendor

Cloud Foundry Foundation

Versions Affected
  • Canonical Ubuntu 10.04 and 14.04
Description

A privilege escalation vulnerability was identified in a component used in the Cloud Foundry stacks lucid64 and cflinuxfs2. The FUSE package incorrectly filtered environment variables and could be made to overwrite files as an administrator, allowing a local attacker to gain administrative privileges.

Affected Pivotal Products and Versions

Severity is moderate unless otherwise noted.

  • Cloud Foundry Runtime cf-release versions v209 or earlier are susceptible to the vulnerability.
  • Pivotal Cloud Foundry Elastic Runtime versions prior to 1.4.3
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v209 or earlier upgrade to v210 or later. Release v183 first introduced FUSE as a Cloud Foundry feature.
  • Pivotal recommends that Pivotal Cloud Foundry Operators upgrade to Elastic Runtime 1.4.3 or greater, which is not susceptible to the vulnerability. Note that the FUSE package has been removed from the lucid64 stack in the 1.4.3 Elastic Runtime release while it has been patched in the cflinuxfs2 stack (Trusty). Developers should use the cflinuxfs2 stack in order to use FUSE with Elastic Runtime 1.4.3 and higher.
Credit

This issue was identified by Tavis Ormandy

References