Severity

Medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

• CF CLI
  • All versions prior to v6.45.0
• CF CLI Release
  • All versions prior to v1.16.0
• CF Networking Release
  • All versions Prior to v2.23.0
• CF Routing Release
  • All versions Prior to v0.189.0
• CF Smoke Tests
  • All versions Prior to v40.0.113
• CF Deployment
  • All versions Prior to v10.0.0
• CF Deployment Concourse Tasks
  • All versions Prior to v9.3.0
• CF Log Cache Release
  • All versions Prior to v2.3.1
• CF Notifications
  • All versions Prior to v58

Description

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with –client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

• CF CLI
  • Upgrade all versions to v6.45.0 or greater
• CF CLI Release
  • Upgrade all versions to v1.16.0 or greater
• CF Networking Release
  • Upgrade all versions to v2.23.0 or greater
• CF Routing Release
  • Upgrade all versions to v0.189.0 or greater
• CF Smoke Tests
  • Upgrade all versions to v40.0.113 or greater
• CF Deployment
  • Upgrade all versions to v10.0.0 or greater
• CF Deployment Concourse Tasks
  • Upgrade all versions to v9.3.0 or greater
• CF Log Cache Release
  • Upgrade all versions to v2.3.1 or greater
• CF Notifications
  • Upgrade all versions to v58 or greater

History

2019-07-18: Initial vulnerability report published.

2019-07-24: Add additional affected products and mitigation steps.

2019-07-26: Add CF Deployment Concourse Tasks to the list.