CVE-2016-9885 — CRITICAL (9.8)

Vulnerability Description

An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to connect to their cluster, is unauthenticated and publicly accessible. Because HTTPS communications are terminated at the gorouter, communications from the gorouter to GemFire clusters are unencrypted. An attacker could run any command available on gfsh and could cause denial of service, lost confidentiality of data, escalate privileges, or eavesdrop on other communications between the gorouter and the cluster.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Pivotal Software	Gemfire For Pivotal Cloud Foundry	1.6.0.0

Related Weaknesses (CWE)

CWE-254 CWE-200

References

http://www.securityfocus.com/bid/95270
https://pivotal.io/security/cve-2016-9885Vendor Advisory
http://www.securityfocus.com/bid/95270
https://pivotal.io/security/cve-2016-9885Vendor Advisory

FAQ

What is CVE-2016-9885?

CVE-2016-9885 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Pivotal GemFire for PCF 1.6.x versions prior to 1.6.5 and 1.7.x versions prior to 1.7.1. The gfsh (Geode Shell) endpoint, used by operators and application developers to con...

How severe is CVE-2016-9885?

CVE-2016-9885 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2016-9885?

Check the references section above for vendor advisories and patch information. Affected products include: Pivotal Software Gemfire For Pivotal Cloud Foundry.