Hello all, We have identified a critical-severity issue with Routing. This issue has been assigned CVE-2018-1221. The public notice can be found here: https://www.cloudfoundry.org/blog/cve-2018-1221/

Hello all, A few weeks ago, the foundation did some re-architecting of the CF blog to improve SEO and searchability. These updates changed the location of the Security RSS feed. If you are using this

Hello all, We have identified high-severity issue with Cloud Controller. This issue has been assigned CVE-2017-14389. It was responsibly reported by the GE Digital Security Team. A Cloud Foundry user

FYI - You are only vulnerable to this if you are using GrootFS and are enabling developers to push docker containers to the platform. You need developer privileges to exploit. Molly

Apologies for posting this late but wanted it out before Friday morning (pacific time) for Europe folks. The fix is already committed so I didn't want to wait until Monday. https://www.cloudfoundry.or

Hello all - Please see below for more information on 3 CAPI CVEs made public today. Please reply if you have any questions. Thanks, Molly Crowther CFF Security Team CVE-2017-8033: Cloud Controller API

Please see below for information regarding a high CVE in UAA. Please pay extra attention to the Mitigation section to determine if your foundation is affected AND workaround information that you can p

Hello - It's been brought to my attention that the messaging was confusing on this one as we originally included more information when we went public with the notice for CVE-2017-4992 but eventually p

Please see the following link regarding a high CVE in UAA. If you have any further questions about this CVE, please join the #security channel in the open source slack. https://www.cloudfoundry.org/cv

Please see the following link for information on *critical* UAA CVE CVE-2017-4992: Privilege escalation with user invitations We tried to include more information this time about how to tell if you ar

CF devs, Please see the following public link for information about a high CVE in UAA. *https://www.cloudfoundry.org/cve-2017-4991/ <https://www.cloudfoundry.org/cve-2017-4991/>* Friendly reminder tha

CF devs, Please see the following public link for information about a high CVE in UAA. This is continuation of work that was originally released as part of CVE-2017-4972 <https://www.cloudfoundry.org/

CF devs, Please see the following public link for information about a high CVE in bosh. https://www.cloudfoundry.org/cve-2017-4961/ Friendly reminder that you can subscribe to new Cloud Foundry securi

CF Devs, Please see information for the following high UAA CVE. This issue was fixed in the same releases as CVE-2017-4972 (the blind SQL injection) so if you already have plans to upgrade, you don't

CF devs, Please see the following public link for information about a high CVE in UAA. https://www.cloudfoundry.org/cve-2017-4972/ Friendly reminder that you can subscribe to new Cloud Foundry securit

Please see the following CVE (also available at https://www.cloudfoundry.org/cve-2017-4970/). To always be up to date with OSS Cloud Foundry CVE notices, please check out the #security channel in the

Please see the following *medium* security advisory and let us know if you have any questions or concerns. https://www.cloudfoundry.org/cve-2017-4964/ Thanks, Molly Crowther Cloud Foundry Foundation S

Please see the following advisory notice about the Apache Struts 2 remote code execution CVE (aka "strutshock" or "struts-shock"). The Cloud Foundry project itself does not appear to be vulnerable, bu

Please see the following notice for a high UAA CVE posted to cloudfoundry.org/security. Let us know if you have any questions or concerns. https://www.cloudfoundry.org/cve-2017-4960/ Thanks, Molly Cro

Hello - we originally thought we were not vulnerable to a vulnerability in RunC but turns out it is complicated. Please see updated notice below. https://www.cloudfoundry.org/cve-2016-9962/ Please let