CVE-2017-4970: Staticfile buildpack ignores basic authentication when misconfigured

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

• cf-release v255
• Staticfile buildpack versions v1.4.0 – v1.4.3

Description

A regression introduced in the Staticfile buildpack causes the Staticfile.auth configuration to be ignored when the Staticfile file is not present in the application root. Applications containing a Staticfile.auth file but not a Staticfile had their basic auth turned off when an operator upgraded the Staticfile buildpack in the foundation to one of the vulnerable versions. Note that Staticfile applications without a Staticfile are technically misconfigured, and will not successfully detect unless the Staticfile buildpack is explicitly specified.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

• For existing deployments, upgrade the Staticfile Buildpack to v1.4.4 or later [1] and restage all applications that use the Staticfile Buildpack.
• Upgrade to cf-release v256 [2] when available.

References

• [1] https://github.com/cloudfoundry/staticfile-buildpack/releases
• [2] https://github.com/cloudfoundry/cf-release/releases

History

2017-04-10: Updated mitigation to apply to all apps using the Staticfile buildpack instead of just apps with detection

2017-04-10: Initial vulnerability report published