USN-2617-1 and CVE-2015-3202 FUSE vulnerability


James Bayer
 

Severity: High

Vendor: Canonical Ubuntu

Vulnerable Versions: Canonical Ubuntu 10.04 and 14.04

CVE References: USN-2617-1, CVE-2015-3202
Description:

A privilege escalation vulnerability was identified in a component used in
the Cloud Foundry stacks lucid64 and cfliunuxfs2. The FUSE package
incorrectly filtered environment variables and could be made to overwrite
files as an administrator, allowing a local attacker to gain administrative
privileges.
Affected Products and Versions:

-

Cloud Foundry Runtime cf-release versions v183 and all releases through
v209

Mitigation:

The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments
running Release v209 or earlier upgrade to v210 or later. Note that the
FUSE package has been removed from the lucid64 stack in the v210 release
while it has been patched in the cflinuxfs2 stack (Trusty). Developers
should use the cflinuxfs2 stack in order to use FUSE with v210 and higher.

Credit:

This issue was identified by Tavis Ormandy


--
Thank you,

James Bayer

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.