CVE-2017-4975: Tile generator sets open security groups
Severity
High
Vendor
Pivotal
Description
Tiles created by the PCF Tile Generator create a running open security group that overrides security groups set by the operator.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- PCF Tile Generator versions prior to 6.0.0
Affected Partner Products and Versions
Severity is high unless otherwise noted.
- Aerospike Service Broker for PCF versions prior to 1.0.1
- AppDynamics Service Broker for PCF versions prior to 1.2.1
- All versions of Azuqua Platform Connector for PCF
- Blue Medora Nozzle for PCF versions prior to 1.2.0
- All versions of Cloudflare Service Broker for PCF (BETA)
- Cloudsoft Service Broker for PCF (BETA) versions prior to 1.2.0
- Dynatrace Service Broker for PCF versions prior to 1.2.2
- EDB Postgres Service Broker for PCF versions prior to 1.0.15
- First Data Payments Service Broker for PCF (BETA) versions prior to 1.0.2
- ForgeRock Service Broker for PCF versions prior to 2.0.1
- GCP Service Broker for PCF versions prior to 3.3.2
- GCP Stackdriver Nozzle for PCF versions prior to 1.0.3
- Gluon Cloud Cloudlink Service Broker for PCF (BETA) versions prior to 0.9.1
- Guardtime Blockchain Service Broker for PCF (BETA) versions prior to 0.0.8
- All versions of Guardtime Blockchain Service Broker for PCF (BETA)
- Honeycomb Nozzle for PCF (BETA) versions prior to 0.1.1
- Microsoft Azure Service Broker for PCF versions prior to 1.2.2
- New Relic Service Broker for PCF:
- All versions prior to 1.7.1
- 1.8.x versions prior to 1.8.1
- 1.9.x versions prior to 1.9.1
- PagerDuty Service Broker for PCF (BETA) versions prior to 0.0.2
- Signal Sciences Service Broker for PCF (BETA) versions prior to 0.0.26
- SignalFx Monitoring and Alerting for PCF (BETA) versions prior to 0.9.1
- Solace Messaging for PCF versions prior to 1.0.1
- Stardog Service Broker for PCF (BETA) versions prior to 0.9.2
Mitigation
Users of affected versions should apply the following mitigation:
- For existing installations:
- Refer to this Pivotal Knowledge Base Article and contact Pivotal Support with any questions or concerns.
- For new installations, releases that have fixed this issue include:
- Aerospike Service Broker for PCF: 1.0.1
- AppDynamics Service Broker for PCF: 1.2.1
- Blue Medora Nozzle for PCF: 1.2.0
- Dynatrace Service Broker for PCF: 1.2.2
- Cloudsoft Service Broker for PCF (BETA) : 1.2.0
- EDB Postgres Service Broker for PCF: 1.0.15
- First Data Payments Service Broker for PCF (BETA): 1.0.2
- ForgeRock Service Broker for PCF: 2.0.1
- GCP Service Broker for PCF: 3.3.2
- GCP Stackdriver Nozzle for PCF: 1.0.3
- Gluon Cloud Cloudlink Service Broker for PCF (BETA) : 0.9.1
- Guardtime Blockchain Service Broker for PCF (BETA): 0.0.8
- Honeycomb Nozzle for PCF (BETA): 0.1.1
- Microsoft Azure Service Broker for PCF: 1.2.2
- New Relic Service Broker for PCF: 1.7.1, 1.8.1, 1.9.1
- PagerDuty Service Broker for PCF (BETA): 0.0.2
- Signal Sciences Service Broker for PCF (BETA): 0.0.26
- SignalFx Monitoring and Alerting for PCF (BETA): 0.9.1
- Solace Messaging for PCF: 1.0.1
- Stardog Service Broker for PCF (BETA): 0.9.2
- Note: if a tile is not listed in this section, a new version is not yet available. This page will be updated as more tiles are released.
References
- https://github.com/cf-platform-eng/tile-generator/releases
- https://pivotal.io/security/cve-2016-0896
History
2017-05-15: Initial vulnerability report published