CVE-2017-14388: Input Validation
First published: Mon Nov 13 2017(Updated: )
Cloud Foundry Foundation GrootFS release 0.3.x versions prior to 0.30.0 do not validate DiffIDs, allowing specially crafted images to poison the grootfs volume cache. For example, this could allow an attacker to provide an image layer that GrootFS would consider to be the Ubuntu base layer.
Credit: security_alert@emc.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pivotal Software Grootfs | =0.3.0 | |
| Pivotal Software Grootfs | =0.4.0 | |
| Pivotal Software Grootfs | =0.5.0 | |
| Pivotal Software Grootfs | =0.6.0 | |
| Pivotal Software Grootfs | =0.7.0 | |
| Pivotal Software Grootfs | =0.8.0 | |
| Pivotal Software Grootfs | =0.9.0 | |
| Pivotal Software Grootfs | =0.10.0 | |
| Pivotal Software Grootfs | =0.11.0 | |
| Pivotal Software Grootfs | =0.12.0 | |
| Pivotal Software Grootfs | =0.13.0 | |
| Pivotal Software Grootfs | =0.14.0 | |
| Pivotal Software Grootfs | =0.15.0 | |
| Pivotal Software Grootfs | =0.16.0 | |
| Pivotal Software Grootfs | =0.17.0 | |
| Pivotal Software Grootfs | =0.17.1 | |
| Pivotal Software Grootfs | =0.18.0 | |
| Pivotal Software Grootfs | =0.19.0 | |
| Pivotal Software Grootfs | =0.20.0 | |
| Pivotal Software Grootfs | =0.21.0 | |
| Pivotal Software Grootfs | =0.24.0 | |
| Pivotal Software Grootfs | =0.25.0 | |
| Pivotal Software Grootfs | =0.26.0 | |
| Pivotal Software Grootfs | =0.27.0 | |
| Pivotal Software Grootfs | =0.28.0 | |
| Pivotal Software Grootfs | =0.28.1 | |
| Pivotal Software Grootfs | =0.29.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-14388?
The severity of CVE-2017-14388 is classified as medium due to potential risks of cache poisoning in the GrootFS volume.
How do I fix CVE-2017-14388?
To fix CVE-2017-14388, upgrade GrootFS to version 0.30.0 or later, which includes the necessary validation for DiffIDs.
What versions are affected by CVE-2017-14388?
CVE-2017-14388 affects all GrootFS versions prior to 0.30.0, including versions 0.3.0 to 0.29.0.
What impact does CVE-2017-14388 have on system integrity?
CVE-2017-14388 could lead to an attacker providing malicious image layers that compromise the integrity of the GrootFS cache.
Is there a workaround for CVE-2017-14388?
There is no known effective workaround for CVE-2017-14388; upgrading to the fixed version is the recommended approach.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/tags
- agent/event
- agent/source
- vendor/pivotal software
- canonical/pivotal software grootfs
- version/pivotal software grootfs/0.3.0
- version/pivotal software grootfs/0.4.0
- version/pivotal software grootfs/0.5.0
- version/pivotal software grootfs/0.6.0
- version/pivotal software grootfs/0.7.0
- version/pivotal software grootfs/0.8.0
- version/pivotal software grootfs/0.9.0
- version/pivotal software grootfs/0.10.0
- version/pivotal software grootfs/0.11.0
- version/pivotal software grootfs/0.12.0
- version/pivotal software grootfs/0.13.0
- version/pivotal software grootfs/0.14.0
- version/pivotal software grootfs/0.15.0
- version/pivotal software grootfs/0.16.0
- version/pivotal software grootfs/0.17.0
- version/pivotal software grootfs/0.17.1
- version/pivotal software grootfs/0.18.0
- version/pivotal software grootfs/0.19.0
- version/pivotal software grootfs/0.20.0
- version/pivotal software grootfs/0.21.0
- version/pivotal software grootfs/0.24.0
- version/pivotal software grootfs/0.25.0
- version/pivotal software grootfs/0.26.0
- version/pivotal software grootfs/0.27.0
- version/pivotal software grootfs/0.28.0
- version/pivotal software grootfs/0.28.1
- version/pivotal software grootfs/0.29.0