Lucene search
Cloud FoundryCFOUNDRY:F652C8D4E4092854DE63805754E6E94BHistoryJan 09, 2017 - 12:00 a.m.
CVE-2016-9882: Cloud Foundry Logs Service Credentials | Cloud Foundry
2017-01-0900:00:00
Cloud Foundry
www.cloudfoundry.org
30
0.001 Low
EPSS
Percentile
47.3%
CVE-2016-9882: Cloud Foundry Logs Service Credentials
Medium
Vendor
Cloud Foundry Foundation
Versions Affected
- cf-release versions prior to v250
- CAPI-release versions prior to v1.12.0
Description
Cloud Foundry logs the credentials returned from service brokers in Cloud Controller system component logs. These logs are written to disk and often sent to a log aggregator via syslog.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry v250 [1] or later
- For CAPI-Release users
- Upgrade to CAPI-Release v1.12.0 [2] or later
- If you were forwarding CC logs via an unsecured connection, service binding credentials should be rotated and it is recommended to only forward
syslogusing a secure connection.
References
- [1] <https://github.com/cloudfoundry/cf-release/releases/tag/v250>
- [2] <https://github.com/cloudfoundry/capi-release/releases/tag/1.12.0>
History
2017-01-09: Initial vulnerability report published
2017-01-10: Added mitigation suggestion for rotating credentials
Related
cve
cve
CVE-2016-9882
2017-01-13 09:59:00
prion
prion
Design/Logic Flaw
2017-01-13 09:59:00
osv
osv
CVE-2016-9882
2017-01-13 09:59:00
cvelist
cvelist
CVE-2016-9882
2017-01-13 09:00:00
nvd
nvd
CVE-2016-9882
2017-01-13 09:59:00