CVE-2016-6660: Cloud Controller logs application environment variables

Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected

Cloud Foundry Release versions prior to 250
CAPI versions prior to 1.12.0

Description

The Cloud Foundry Cloud Controller /v2/apps endpoint logs environment variables in plaintext when pushing a manifest containing environment variables or when setting environment variables using cf set-env. The sensitive information appears in the Cloud Controller component logs, which are often aggregated with other system component logs via syslog.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

Upgrade to Cloud Foundry v250 [1] or later
For standalone component users:

CAPI v1.12.0 [2] or later

Credit

This vulnerability was responsibly reported by the Cloud Controller team.

References

[1] https://github.com/cloudfoundry/cf-release/releases
[2] https://github.com/cloudfoundry/capi-release/releases

History

2016-08-10: Initial vulnerability report published

CVE-2016-6660: Cloud Controller logs application environment variables

Severity

Vendor

Versions Affected

Description

Mitigation

Credit

References

History

You Might Also Like

CVE-2017-4969: Bug in CC allows users to exceed quotas

USN-2861-1 libpng vulnerability

USN-3259-1: Bind vulnerabilities

Sign up for the Cloud Foundry Newsletter today!

Sign up for the
Cloud Foundry Newsletter today!