CVE-2015-5350: Garden Nstar vulnerabilitySeverity:

High
Vendor:

Cloud Foundry Foundation
Versions Affected:

Garden versions 0.22.0-0.329.0
Description:

A vulnerability has been discovered in the garden-linux nstar executable
that allows access to files on the host system. By staging an application
on Cloud Foundry using Diego and Garden installations with a malicious
custom buildpack an end user could read files on the host system that the
BOSH-created vcap user has permissions to read and then package them into
their app droplet.
Affected Cloud Foundry Products and Versions:

-

All Garden versions prior to v0.330.0

Mitigation:

-

The Cloud Foundry project recommends that Cloud Foundry Deployments
using Diego and Garden upgrade to Garden Linux Release v0.330.0 or higher.
Diego release v0.1444.0 includes Garden Linux v.0.330.0.

Credit:

Julian Friedman

Will Pragnell

Eric Malm
References: Cloud Foundry:

* Garden-Linux-Release
<https://github.com/cloudfoundry-incubator/garden-linux-release>

* Diego-Release <https://github.com/cloudfoundry-incubator/diego-release>