Micro Focus Container Deployment Foundation (CDF), Remote Code Execution

Vulnerability

A remote code execution vulnerability exists in the Micro Focus Autopass License Server (APLS) and Container Deployment Foundation (CDF) components used in multiple containerized suites: Hybrid Cloud Management Containerized Suite (HCM2017.11, HCM2018.02, HCM2018.05), Operations Bridge Containerized Suite (2017.11, 2018.02, 2018.05), Data Center Automation Containerized Suite (2017.01 through 2018.05), Service Management Automation Suite (2017.11, 2018.02, 2018.05), and Network Operations Management (NOM) Suite CDF (2017.11, 2018.02, 2018.05) [1][2][3][4].

Exploitation

According to the CVSS vector (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H), the vulnerability is exploitable from an adjacent network with low attack complexity and no privileges required; no user interaction is needed [1][2][3][4]. An attacker who can reach the affected component can trigger remote code execution without authentication.

Impact

Successful exploitation allows an attacker to execute arbitrary code remotely. The CVSS score is 8.8 (High) with impacts to confidentiality (low), integrity (low), and availability (high), and the scope is changed, meaning the compromise can affect resources beyond the vulnerable component [1][2][3][4].

Mitigation

Micro Focus has released mitigations for the affected products. Refer to the specific security bulletins for the appropriate software version: for Hybrid Cloud Management containerized suites, Micro Focus has made mitigation information available to resolve the vulnerability [4]. The security bulletins were released on 2018-08-30 [1][2][3][4]. Apply the recommended updates or workarounds as directed by the vendor.