Cloud Foundry Foundation
Apps running on cf-deployment are accessible (unproxied) via a programmatically-generated port on diego cells. The route integrity with mTLS feature (rep.containers.proxy.require_and_verify_client_certificates), exposes an additional port that requires a client certificate signed by a specific CA for app ingress. Cells can be optionally configured (containers.proxy.enable_unproxied_port_mappings) to remove the unproxied port, ensuring that apps can only be reached by authenticated clients (namely, gorouter).
Starting with diego-release 2.55.0, apps are accessible via yet another port on diego cells, allowing application ingress without a client certificate. If mTLS route integrity is enabled AND unproxied ports are turned off, then an attacker could connect to an application that should be only reachable via mTLS, without presenting a client certificate. If the platform is not configured this way, there is no impact because applications were are already reachable via a non-mTLS port.
Affected Cloud Foundry Products and Versions
Severity is high unless otherwise noted.
- All versions between to 2.55.0 – 2.69.0 (inclusive)
- CF Deployment
- All versions between to 17.1 – 23.2.0 (inclusive)
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- Upgrade all versions to 2.69.1 or greater
- CF Deployment
- Upgrade all versions to 23.3.0 or greater
This issue was responsibly reported by Maximilian Moehl of SAP
2022-12-08: Initial vulnerability report published.