Cloud Foundry Logo

CVE-2020-5400: Cloud Controller logs environment variables from app manifests

By: | February 24, 2020

Share

Severity

High

Vendor

Cloud Foundry Foundation

Description

Cloud Foundry Cloud Controller (CAPI), versions prior to 1.91.0, logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • CAPI
    • All versions prior to 1.91.0
  • CF Deployment
    • All versions prior to v12.33.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CAPI
    • Upgrade all versions to 1.91.0 or greater
  • CF Deployment
    • Upgrade all versions to v12.33.0 or greater

Relevant log lines include the text “about to run job”. Operators should inform developers to rotate any credentials that are found there. Examples include service credentials provided to service broker jobs and environment variables provided to apps deployed using server-side manifests (such as by cf v3-apply-manifest or cf7 push).

Credit

This issue was responsibly reported by Miki Mokrysz of the GOV.UK PaaS team.

History

2020-02-24: Initial vulnerability report published.

2020-02-26: More detailed mitigation steps added.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES