CVE-2017-4970: Staticfile buildpack ignores basic authentication when misconfigured
Severity
High
Vendor
Cloud Foundry Foundation
Versions Affected
- cf-release v255
- Staticfile buildpack versions v1.4.0 – v1.4.3
Description
A regression introduced in the Staticfile buildpack causes the Staticfile.auth
configuration to be ignored when the Staticfile
file is not present in the application root. Applications containing a Staticfile.auth
file but not a Staticfile
had their basic auth turned off when an operator upgraded the Staticfile buildpack in the foundation to one of the vulnerable versions. Note that Staticfile applications without a Staticfile
are technically misconfigured, and will not successfully detect unless the Staticfile buildpack is explicitly specified.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- For existing deployments, upgrade the Staticfile Buildpack to v1.4.4 or later [1] and restage all applications that use the Staticfile Buildpack.
- Upgrade to cf-release v256 [2] when available.
References
- [1] https://github.com/cloudfoundry/staticfile-buildpack/releases
- [2] https://github.com/cloudfoundry/cf-release/releases
History
2017-04-10: Updated mitigation to apply to all apps using the Staticfile buildpack instead of just apps with detection
2017-04-10: Initial vulnerability report published