CVE-2016-0780 Cloud Controller Disk Quota Enforcement
Severity
High
Vendor
Cloud Foundry Foundation and Pivotal Cloud Foundry
Versions Affected
- cf-release v231 and lower
- Pivotal Cloud Foundry Elastic Runtime 1.5.x versions prior to 1.5.17 AND 1.6.x versions prior to 1.6.18
Description
It was discovered that Cloud Foundry does not properly enforce disk quotas in certain cases. An attacker could use an improper disk quota value to bypass enforcement and consume all the disk on DEAs/CELLs causing a potential denial of service for other applications.
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade to cf-release v233 [1] (cf-release v232 is not recommended for use)
- Upgrade Pivotal Cloud Foundry Elastic Runtime 1.5.x versions to 1.5.17 or later OR 1.6.x versions to 1.6.18 or later
Credit
Fujitsu Limited
References
History
2016-Mar-23: Initial vulnerability report published