USN-2617-1 and CVE-2015-3202 FUSE vulnerability

James Bayer

Severity: High

Vendor: Canonical Ubuntu

Vulnerable Versions: Canonical Ubuntu 10.04 and 14.04

CVE References: USN-2617-1, CVE-2015-3202

A privilege escalation vulnerability was identified in a component used in
the Cloud Foundry stacks lucid64 and cfliunuxfs2. The FUSE package
incorrectly filtered environment variables and could be made to overwrite
files as an administrator, allowing a local attacker to gain administrative
Affected Products and Versions:


Cloud Foundry Runtime cf-release versions v183 and all releases through


The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments
running Release v209 or earlier upgrade to v210 or later. Note that the
FUSE package has been removed from the lucid64 stack in the v210 release
while it has been patched in the cflinuxfs2 stack (Trusty). Developers
should use the cflinuxfs2 stack in order to use FUSE with v210 and higher.


This issue was identified by Tavis Ormandy

Thank you,

James Bayer