USN-3172-1 Bind vulnerabilities
Severity is medium unless otherwise noted.
- Vulnerable Cloud Foundry BOSH stemcells listed here.
- Pivotal products using stemcells prior to these updated versions are vulnerable to this issue.
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading to BOSH stemcells & rootfs listed here.
- Upgrade Pivotal products using older stemcells to new versions using the new stemcells mentioned above. On the Pivotal Network product page for each release, check the Depends On section and/or Release Notes for this information.
- Releases that have fixed this issue include:
- PCF Operations Manager: 1.6.28, 1.7.22, 1.8.14
- PCF Elastic Runtime: 1.6.64, 1.7.46, 1.8.27
- MySQL for PCF: 1.6.23, 1.7.23, 1.8.2
- RabbitMQ for PCF: 1.5.24, 1.6.15, 1.7.10
- Redis for PCF: 1.5.27
- Push Notification for PCF: 1.5.8
- PCF Metrics: 1.0.23
- Ops Metrics / JMX Bridge: 1.6.28
- Spring Cloud Services for PCF: 1.0.20, 1.1.11, 1.2.7, 1.3.3
- Single Sign-On for PCF: 1.0.22
- A fix is not yet available for a stable version of 3312.x PCF Elastic Runtime & PCF Operations Manager will be released with a new 3312.x stemcell when it is available. This notice will be updated when the releases are available.
Special Note for 1.7.x, 1.8.x & 1.9.x Ops Manager Deployments
The 1.7.x, 1.8.x and 1.9.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x, 1.8.x or 1.9.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.