CVE-2018-1265: Diego does not properly sanitize file paths in tar/zip files
Severity
Critical
References
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- Pivotal Application Service
- 2.1.x versions prior to 2.1.7
- 2.0.x versions prior to 2.0.16
- 1.12.x versions prior to 1.12.25
- 1.11.x versions prior to 1.11.35
- PCF Isolation Segment
- 2.1.x versions prior to 2.1.6
- 2.0.x versions prior to 2.0.12
- 1.12.x versions prior to 1.12.21
- 1.11.x versions prior to 1.11.30
- PAS for Windows2012R2
- 2.1.x versions prior to 2.1.6
- 2.0.x versions prior to 2.0.8
- 1.12.x versions prior to 1.12.11
- 1.11.x versions prior to 1.11.13
- PAS for Windows
- 2.1.x versions prior to 2.1.7
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
- Releases that have fixed this issue include:
- Pivotal Application Service: 2.1.7, 2.0.16, 1.12.25, 1.11.35
- PCF Isolation Segment: 2.1.6, 2.0.12, 1.12.21, 1.11.30
- PAS for Windows2012R2: 2.1.6, 2.0.8, 1.12.11, 1.11.13
- PAS for Windows: 2.1.7