CVE-2016-9882: Cloud Foundry Logs Service Credentials


CVE-2016-9882: Cloud Foundry Logs Service Credentials

Severity

Medium

Vendor

Cloud Foundry Foundation

Versions Affected

  • cf-release versions prior to v250
  • CAPI-release versions prior to v1.12.0

Description

Cloud Foundry logs the credentials returned from service brokers in Cloud Controller system component logs. These logs are written to disk and often sent to a log aggregator via syslog.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v250 [1] or later
  • For CAPI-Release users
    • Upgrade to CAPI-Release v1.12.0 [2] or later
  • If you were forwarding CC logs via an unsecured connection, service binding credentials should be rotated and it is recommended to only forward syslog using a secure connection.

References

History

2017-01-09: Initial vulnerability report published
2017-01-10: Added mitigation suggestion for rotating credentials