Cloud Foundry Foundation
Cloud Foundry BOSH System Metrics Server, all versions prior to v0.0.24 and Cloud Foundry Loggregator, 105.x versions prior to v105.6, support block ciphers with 64 bit block size. A remote unauthenticated malicious user can obtain cleartext data via a birthday attack against a long-duration encrypted session.
Affected Cloud Foundry Products and Versions
- Cloud Foundry BOSH System Metrics
- All versions prior to v0.0.24
- Cloud Foundry Loggregator
- All versions prior to v105.6
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- Cloud Foundry BOSH System Metrics version v0.0.24
- Cloud Foundry Loggregator version v105.6
2019-10-24: Initial vulnerability report published.