USN-3225-1 libarchive vulnerabilities
CVEs contained in this USN include: CVE-2016-5418, CVE-2016-6250, CVE-2016-7166, CVE-2016-8687, CVE-2016-8688, CVE-2016-8689, CVE-2017-5601
Severity is medium unless otherwise noted.
- Vulnerable Cloud Foundry components individually listed here.
- Pivotal products using CF components prior to the listed updated versions are vulnerable to this issue. See the Mitigation section below for more information.
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
- Upgrade Pivotal products using earlier versions of CF components to new versions linked above. On the Pivotal Network product page for each release, check the Depends On section and/or Release Notes for this information.
- Releases that have fixed this issue include:
- PCF Operations Manager: 1.6.31, 1.7.25, 1.8.17, 1.9.8, 1.10.2
- PCF Elastic Runtime: 1.6.74, 1.7.59, 1.8.38, 1.9.16, 1.10.3
- MySQL for PCF: 1.6.26, 1.7.27, 1.8.6
- RabbitMQ for PCF: 1.7.15, 1.6.18, 1.5.27
- Redis for PCF: 1.5.30
- Push Notification for PCF: all current tile versions use floating stemcells
- PCF Metrics: all current tile versions use floating stemcells
- Ops Metrics / JMX Bridge: 1.6.32
- PCF Metrics: Log Search: all current tile versions use floating stemcells
- Single Sign-On for PCF: 1.0.25
- Spring Cloud Services for PCF: 1.0.23, 1.1.14, 1.2.10
Special Note for 1.7.x and above Ops Manager Deployments
The 1.7.x, 1.8.x, 1.9.x, and 1.10.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which lets Operators update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.