PT-2017-10381 · Pivotal · Pivotal Gemfire For Pcf

Published

2017-01-06

Updated

2017-01-11

CVE-2016-9885

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Pivotal GemFire for PCF versions prior to 1.6.5 Pivotal GemFire for PCF versions prior to 1.7.1

Description An issue was discovered where the gfsh endpoint is unauthenticated and publicly accessible. This allows an attacker to run any command available on gfsh, potentially causing denial of service, lost confidentiality of data, privilege escalation, or eavesdropping on communications between the gorouter and the cluster. The communications from the gorouter to GemFire clusters are unencrypted because HTTPS communications are terminated at the gorouter.

Recommendations For Pivotal GemFire for PCF versions prior to 1.6.5, update to version 1.6.5 or later. For Pivotal GemFire for PCF versions prior to 1.7.1, update to version 1.7.1 or later.

Fix

DoS

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-254CWE-200

Related Identifiers

CVE-2016-9885

Affected Products

Pivotal Gemfire For Pcf

PT-2017-10381 · Pivotal · Pivotal Gemfire For Pcf

CVE-2016-9885

Weakness Enumeration

Related Identifiers

Affected Products

References · 4