Severity
High
Vendor
Cloud Foundry Foundation
Description
Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.
Affected Cloud Foundry Products and Versions
Severity is high unless otherwise noted.
- CAPI
- All versions prior to 1.91.0
- CF Deployment
- All versions prior to v12.33.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- CAPI
- Upgrade all versions to 1.91.0 or greater
- CF Deployment
- Upgrade all versions to v12.33.0 or greater
Relevant log lines include the text “about to run job”. Operators should inform developers to rotate any credentials that are found there. Examples include service credentials provided to service broker jobs and environment variables provided to apps deployed using server-side manifests (such as by cf v3-apply-manifest or cf7 push).
Credit
This issue was responsibly reported by Miki Mokrysz of the GOV.UK PaaS team.
History
2020-02-24: Initial vulnerability report published.
2020-02-26: More detailed mitigation steps added.
