CVE 2016-6655: Utility script command injection


Travis McPeak
 

CVE 2016-6655: Utility script command injectionSeverity

Critical
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release versions prior to v245
-

cf-mysql-release versions prior to v31

Description

A command injection vulnerability was discovered in a common script used by
many Cloud Foundry components. A malicious user may exploit numerous
vectors to execute arbitrary commands on servers running Cloud Foundry.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v245 [1] or later


-

Upgrade to cf-mysql-release v31 [2] or later

Credit

This issue was discovered by IBM BlueMix.
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v245
-

[2] https://github.com/cloudfoundry/cf-mysql-release/releases/tag/v31