CVE-2016-9772 Openafs CVE debrief

Who should care

Organizations running OpenAFS clients or fileservers, especially where directory metadata or filesystem layout information is sensitive. Administrators should pay close attention if OpenAFS is exposed in production environments or used to support shared infrastructure.

Technical summary

NVD identifies OpenAFS through 1.6.19 as vulnerable to remote information disclosure. The attack surface includes leakage from the client cache partition, the fileserver vice partition, and certain RPC responses. The published CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates a network-reachable issue with confidentiality impact only, and NVD maps it to CWE-200.

Defensive priority

Medium. Prioritize remediation on systems that expose OpenAFS or rely on directory confidentiality, but this is not a high-severity integrity or availability issue.

Recommended defensive actions

• Upgrade OpenAFS beyond version 1.6.19 using the vendor guidance in the OpenAFS security advisory.
• Inventory hosts running OpenAFS clients and fileservers so affected versions can be identified quickly.
• Review whether exposed directory metadata could reveal sensitive naming, access, or topology information in your environment.
• If immediate upgrade is not possible, limit network exposure and monitor for unexpected access to OpenAFS-related services and responses.

Evidence notes

The NVD entry states that OpenAFS 1.6.19 and earlier are vulnerable and lists the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N with CWE-200. The vendor advisory and related references point to OpenAFS security advisory OPENAFS-SA-2016-003 and an oss-security mailing list post dated 2016-12-02. These sources support a remote disclosure affecting directory information, without claims about integrity or availability impact.

Official resources