CVE-2016-9885

Name of the Vulnerable Software and Affected Versions Pivotal GemFire for PCF versions prior to 1.6.5 Pivotal GemFire for PCF versions prior to 1.7.1

Description An issue was discovered where the gfsh endpoint is unauthenticated and publicly accessible. This allows an attacker to run any command available on gfsh, potentially causing denial of service, lost confidentiality of data, privilege escalation, or eavesdropping on communications between the gorouter and the cluster. The communications from the gorouter to GemFire clusters are unencrypted because HTTPS communications are terminated at the gorouter.

Recommendations For Pivotal GemFire for PCF versions prior to 1.6.5, update to version 1.6.5 or later. For Pivotal GemFire for PCF versions prior to 1.7.1, update to version 1.7.1 or later.