Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2016-6660: Cloud Controller logs application environment variables

CVE-2016-6660: Cloud Controller logs application environment variables

Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected

  • Cloud Foundry Release versions prior to 250
  • CAPI versions prior to 1.12.0

Description

The Cloud Foundry Cloud Controller /v2/apps endpoint logs environment variables in plaintext when pushing a manifest containing environment variables or when setting environment variables using cf set-env. The sensitive information appears in the Cloud Controller component logs, which are often aggregated with other system component logs via syslog.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v250 [1] or later
  • For standalone component users:
    • CAPI v1.12.0 [2] or later

Credit

This vulnerability was responsibly reported by the Cloud Controller team.

References

History

2016-08-10: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES