Cloud Foundry BOSH Ubuntu Stemcell vulnerable to CVE-2013-2094 exploits

[James Bayer]

Cloud Foundry BOSH Ubuntu Stemcell vulnerable to CVE-2013-2094 exploits

Severity: High

Vendor: Cloud Foundry by Pivotal

Versions Affected:

- Any open source deployment based on a Cloud Foundry BOSH provided stemcell stable version 2175 and lower.

- Earlier unsupported versions may be affected

- Pivotal CF 1.0

Description:

Cloud Foundry BOSH uses Ubuntu as the underlying operating system for Cloud Foundry. CVE-2013-2094 describes a Linux kernel vulnerability by which an unauthorized user could gain root access. Any Cloud Foundry deployment that uses the Ubuntu based stemcell with Cloud Foundry BOSH (including Pivotal CF 1.0 and earlier versions as well as deployments of the open source) could be affected by this vulnerability.

Mitigation:

Open source users of affected versions should download and deploy a BOSH stemcell stable version 2200 and higher or stemcell stable version 1471.2.

See http://bosh_artifacts.cfapps.io/ to download an updated stemcell 2200 or higher.

See https://drive.google.com/a/gopivotal.com/?usp=folder#folders/0BxtV7fBdTXcfZEI4TnhGQjVMZVE to download the 1471.2 stemcell.

Pivotal CF 1.0 users should upgrade to Pivotal CF 1.1 at https://network.gopivotal.com/products/pivotal-cf

Credit:

This issue discovered and reported responsibly to the Pivotal security team

by Christopher Ferris of IBM.

References:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2094

--

Thank you,

James Bayer

[David Williams]

Hi James.  Will this be a regular thing...posting security notices on this forum with mitigation steps? Also, will similar guidance be given with buildpack-based runtime components (i.e when CVE notices are published for Tomcat, nginx, etcd, etc.)?  I think this is an important process as CF matures, especially with Pivotal CF adoption in the enterprise.

[James Bayer]

yes, we will certainly inform the CF community when security related updates are available, especially as they relate to the CF platform components like stemcells, which are assets the CF team produces. i'm pretty sure that it doesn't make sense to clutter this main vcap-dev mailing list with all of the security notices for all upstream software like java, ruby, node, nginx, etc that we simply distribute. we do regularly take in updates to the java-buildpack for example so the latest OpenJDK and Tomcat security fixes are pulled in quickly. i don't think the occasional emails is the final solution we'll end up using for OSS CF, but this is the mechanism we're going to use until a more specialized security infrastructure and update mechanism is in-place.

To unsubscribe from this group and stop receiving emails from it, send an email to bosh-dev+u...@cloudfoundry.org.