Vulnerabilities > CVE-2016-9885 - 7PK - Security Features vulnerability in Pivotal Software Gemfire for Pivotal Cloud Foundry

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

pivotal-software

CWE-254

critical

NVD

Published: 2017-01-06

Updated: 2017-01-11

Summary

An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters are unencrypted. An attacker could run any command available on gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster.

Vulnerable Configurations

Part	Description	Count
Application	Pivotal_Software Pivotal Software Gemfire FOR Pivotal Cloud Foundry 1.6.1 Pivotal Software Gemfire FOR Pivotal Cloud Foundry 1.7.0.0 Pivotal Software Gemfire FOR Pivotal Cloud Foundry 1.6.0.0 Pivotal Software Gemfire FOR Pivotal Cloud Foundry 1.6.4.0 Pivotal Software Gemfire FOR Pivotal Cloud Foundry 1.6.2 Pivotal Software Gemfire FOR Pivotal Cloud Foundry 1.6.3.0	6

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References