A privilege escalation vulnerability was identified in a component used in the Cloud Foundry stacks lucid64 and cfliunuxfs2. The FUSE package incorrectly filtered environment variables and could be made to overwrite files as an administrator, allowing a local attacker to gain administrative privileges. Affected Products and Versions:
-
Cloud Foundry Runtime cf-release versions v183 and all releases through v209
Mitigation:
The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v209 or earlier upgrade to v210 or later. Note that the FUSE package has been removed from the lucid64 stack in the v210 release while it has been patched in the cflinuxfs2 stack (Trusty). Developers should use the cflinuxfs2 stack in order to use FUSE with v210 and higher.
