USN-3538-1: OpenSSH vulnerabilities
CVEs contained in this USN include: CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2017-15906
Total CVEs: 5
Affected VMware Products and Versions
Severity is low unless otherwise noted.
- Vulnerable Cloud Foundry components individually listed here.
- Pivotal products using CF components prior to the listed updated versions are vulnerable to this issue. See the Mitigation section below for more information.
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
- Upgrade Pivotal products that use earlier versions of CF components to new Pivotal releases using new versions linked above. On the Pivotal Network product page for each release, check the Depends On section and/or Release Notes for this information.
- Releases that have fixed this issue include:
- MySQL for PCF v1.10: See Pivotal Network for more information.
- MySQL for PCF v1.9: See Pivotal Network for more information.
- MySQL for PCF v2: All current tile versions use floating stemcells.
- PCF Elastic Runtime v1.10: 1.10.39
- PCF Elastic Runtime v1.11: 1.11.25
- PCF Elastic Runtime v1.12: 1.12.13
- PCF Elastic Runtime v2.0: 2.0.4
- PCF Healthwatch: All current tile versions use floating stemcells.
- PCF Isolation Segment v1.10: 1.10.30
- PCF Isolation Segment v1.11: 1.11.23
- PCF Isolation Segment v1.12: 1.12.13
- PCF Isolation Segment v2.0: 2.0.3
- PCF Operations Manager: See Pivotal Network for more information.
- Pivotal Cloud Cache: All current tile versions use floating stemcells.
- Pivotal Cloud Foundry JMX Bridge (Ops Metrics): 1.8, 1.9
- Pivotal Cloud Foundry Metrics: See Pivotal Network for more information.
- RabbitMQ for PCF: 1.7.38, 1.8.29, 1.9.15, 1.10.12, 1.11.6
- Redis for PCF: 1.8-1.11
- Scheduler for PCF: 1.1.2
- Spring Cloud Services for PCF: 1.0.39, 1.1.28, 1.2.24, 1.3.8, 1.4.7, 1.5.1
- See Pivotal Network for information on all other tiles.
Special Note for 1.7+ Ops Manager Deployments
All release lines of Ops Manager 1.7 and up include a feature that allows tile stemcells to “float”, which lets Operators update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager with the newly released stemcell, all tiles with the "float" enabled will automatically upgrade. For more information about the floating stemcell feature, refer to this document.