CVE-2018-15796: Signing Key Extraction in Bits Service
Cloud Foundry Foundation
Affected Cloud Foundry Products and Versions
- You are using bits-service-release versions prior to 2.14.0
Cloud Foundry Bits Service, versions prior to 2.14.0, uses an insecure hashing algorithm to sign URLs. A remote malicious user may obtain a signed URL and extract the signing key, allowing them complete read and write access to the the Bits Service storage.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- bit-service-release versions 2.14.0
This issue was responsibly reported by Christopher Brown of VMware.
2018-11-07: Initial vulnerability report published.