Command Injection Vulnerability


Rasheed Abdul-Aziz
 

The Cloud Foundry Foundation and Pivotal Inc discovered an exploit for
remote command injection. It's long been fixed, however we realized that
many community projects still contain the exploit.

If you are responsible for any of the following repositories, please
consider patching them soon. The patch is described in the detailed report
<https://docs.google.com/document/d/1MOJPOR_fNjvhu2zcEvLm632Dmd2HGp71UCrSmyOHcFs/pub>

This exploit <http://pivotal.io/security/cve-2016-6655>exists in the
following projects. We've highlighted the affected lines

*docker-registry-boshrelease*
https://github.com/cloudfoundry-community/docker-registry-boshrelease/blob/
master/src/common/utils.sh#L4-L5

*stackdriver-tools*
https://github.com/cloudfoundry-community/stackdriver-tools/blob/master/
src/common/utils.sh#L3-L4

*hazelcast*
https://github.com/cloudfoundry-community/hazelcast/blob/master/
hazelcast-enterprise-for-pcf/release/src/common/utils.sh#L4-L5
https://github.com/cloudfoundry-community/hazelcast/blob/master/
hazelcast-for-pcf/release/src/common/utils.sh#L4-L5
https://github.com/cloudfoundry-community/hazelcast/blob/master/
hazelcast-mancenter-for-pcf/release/src/common/utils.sh#L4-L5

*gogs-boshrelease*
https://github.com/cloudfoundry-community/gogs-boshrelease/blob/master/src/
common/utils.sh#L4-L5

*bosh-softlayer-pool-server-release*
https://github.com/cloudfoundry-community/bosh-
softlayer-pool-server-release/blob/master/jobs/vps/
templates/pid_utils.sh.erb#L3-L4

Kind Regards,
Rasheed Abdul-Aziz And Zamir Johl
Pivotal Inc Security Triage Team.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.