CVE-2017-4970: Static file buildpack ignores basic authentication when misconfigured


Share

CVE-2017-4970: Staticfile buildpack ignores basic authentication when misconfigured

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • cf-release v255
  • Staticfile buildpack versions v1.4.0 – v1.4.3

Description

A regression introduced in the Staticfile buildpack causes the Staticfile.auth configuration to be ignored when the Staticfile file is not present in the application root. Applications containing a Staticfile.auth file but not a Staticfile had their basic auth turned off when an operator upgraded the Staticfile buildpack in the foundation to one of the vulnerable versions. Note that Staticfile applications without a Staticfile are technically misconfigured, and will not successfully detect unless the Staticfile buildpack is explicitly specified.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • For existing deployments, upgrade the Staticfile Buildpack to v1.4.4 or later [1] and restage all applications that use the Staticfile Buildpack.
  • Upgrade to cf-release v256 [2] when available.

References

History

2017-04-10: Updated mitigation to apply to all apps using the Staticfile buildpack instead of just apps with detection

2017-04-10: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES