CVE-2016-0761 Docker Image Host Files CorruptionSeverity

Critical
Vendor

Cloud Foundry Foundation
Description

Garden linux contains a flaw in managing container files during Docker
image preparation that could be used to delete, corrupt or overwrite host
files and directories, including other container filesystems on the host.
Affected Cloud Foundry Products and Versions

-

All Garden-Linux versions prior to and including v0.332.0


Please note that all Diego versions up to and including 0.1453.0 recommend
Garden Linux versions that are affected.
Mitigation

-

The Cloud Foundry Foundation recommends that all deployments of
Garden-Linux are upgraded to v0.333.0 [1]
-

Deployments using Garden Linux as part of a Diego-based runtime
environment are encouraged to upgrade to Diego 0.1454.0 [2], which
explicitly recommends Garden Linux 0.333.0 as a compatible dependency.
-

Deployments using Garden Linux as part of a Diego-based runtime
environment that do not wish to upgrade Diego to version 0.1454.0 may
alternately consider upgrading only Garden Linux to version 0.333.0 for
versions of Diego believed to be compatible.
-

Diego version 0.1436.0 and later (anything already known to be
compatible with Garden Linux 0.308.0) should accommodate upgrading only
Garden Linux to 0.333.0.
-

Diego 0.1435.0 and earlier will require an upgrade to 0.1436.0 or
later to be compatible with Garden Linux 0.333.0.

Credit

Swisscom / SEC Consult
References

[1]
https://github.com/cloudfoundry-incubator/garden-linux-release/releases/tag/v0.333.0

[2]
https://github.com/cloudfoundry-incubator/diego-release/releases/tag/v0.1454.0

History2016-Feb-26: Initial vulnerability report published