CVE-2016-6655 Utility Script Command Injection
Severity
Critical
Vendor
Cloud Foundry Foundation
Versions Affected
- Cloud Foundry release versions prior to v245
- cf-mysql-release versions prior to v31
Description
A command injection vulnerability was discovered in a common script used by many Cloud Foundry components. A malicious user may exploit numerous vectors to execute arbitrary commands on servers running Cloud Foundry.
Affected VMware Products and Versions
- PCF Ops Manager 1.7.x versions prior to 1.7.15 AND 1.8.x versions prior to 1.8.6
- PCF Elastic Runtime versions prior to 1.6.44 AND 1.7.x versions prior to 1.7.27 AND 1.8.x versions prior to 1.8.7
- Redis for PCF 1.6.x versions prior to 1.6.2
- MySQL for PCF 1.7.x versions 1.7.11 through 1.7.15 and 1.8.x versions 1.8.0-edge.9 through 1.8.0-edge.12
- RabbitMQ for PCF 1.6.x versions prior to 1.6.9
Mitigation
OSS users are strongly encouraged to follow the mitigations below:
- Upgrade to Cloud Foundry v245 [1] or later
- Upgrade to cf-mysql-release v31 [2] or later
Users of affected Pivotal Products are strongly encouraged to follow the mitigations below:
- Upgrade PCF Ops Manager 1.7.x versions to 1.7.15 or later OR 1.8.x versions to 1.8.6 or later.
- Upgrade PCF Elastic Runtime to version 1.6.44 or later OR 1.7.x versions to 1.7.27 or later OR 1.8.x versions to 1.8.7 or later
- Upgrade Redis for PCF 1.6.x versions to 1.6.2 or later
- Upgrade MySQL for PCF 1.7.x versions to 1.7.16 and 1.8.x versions to 1.8.0-edge.13
- Upgrade RabbitMQ for PCF 1.6.x versions to 1.6.9 or later
Credit
IBM Bluemix Team