CVE-2016-9882: Cloud Foundry Logs Service Credentials

Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected

cf-release versions prior to v250
CAPI-release versions prior to v1.12.0

Description

Cloud Foundry logs the credentials returned from service brokers in Cloud Controller system component logs. These logs are written to disk and often sent to a log aggregator via syslog.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

Upgrade to Cloud Foundry v250 [1] or later
For CAPI-Release users

Upgrade to CAPI-Release v1.12.0 [2] or later

If you were forwarding CC logs via an unsecured connection, service binding credentials should be rotated and it is recommended to only forward syslog using a secure connection.

References

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v250
[2] https://github.com/cloudfoundry/capi-release/releases/tag/1.12.0

History

2017-01-09: Initial vulnerability report published
2017-01-10: Added mitigation suggestion for rotating credentials

CVE-2016-9882: Cloud Foundry Logs Service Credentials

Severity

Vendor

Versions Affected

Description

Mitigation

References

History

You Might Also Like

USN-6238-1: Samba vulnerabilities

CVE-2015-5350 Garden Nstar vulnerability

USN-5748-1: Sysstat vulnerability

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!