CVE-2016-6658: Incomplete fix for Credential Vulnerability for Custom Buildpacks | Cloud Foundry

2017-08-16T00:00:00
ID CFOUNDRY:8B9D920D52D8C395D0AE03D285CE91F7
Type cloudfoundry
Reporter Cloud Foundry
Modified 2017-08-16T00:00:00

Description

Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected

  • cf-release versions prior to 245

Description

This CVE addresses an incomplete fix for CVE-2016-6638, a credential vulnerability in the Cloud Controller database.

Original text of CVE-2016-6638: Applications can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repository. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v245 [1] or later

Credit

Cloud Foundry Cloud Controller Team

References

History

2016-09-07: Initial vulnerability report finalized for CVE-2016-6638

2016-11-02: Vulnerability report finalized for CVE-2016-6658

2017-08-16: Vulnerability report published