CVE-2016-0708 Remote Information Disclosure
Critical
Cloud Foundry Foundation
Applications deployed to Cloud Foundry may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue.
Cloud Foundry users are strongly encouraged to follow one of the mitigations below:
If only the Java Buildpack mitigation is used, it is required that all applications using automated buildpack detection are re-staged to remediate this issue.
It is possible that sensitive application information may have been disclosed before the remediation, therefore it is recommended that applications using automated buildpack detection rotate credentials including environment variables for bound services, user-provided service instances, and developer provided environment variables. Most Service Brokers provide new credentials to each application using an unbind-service and bind-service sequence of commands.
2015-Jan-18: Initial vulnerability report published.