[security] BOSH misconfigurations

Tammer Saleh


We've detected a common misconfiguration pattern with some BOSH directors,
and so wanted to notify you all so you can make sure your teams have
secured their BOSH deployments.

Context: The general instructions for setting up a BOSH Director include a
sample manifest that has ~7 different default usernames and passwords.
We've observed a number of consumers that (a) used these manifests without
updating the default passwords and (b) not set up appropriate security
group rules. Both things together makes their BOSH directors vulnerable.

The CF security team has crafted a script that can determine if a BOSH
Director is misconfigured and insecure

Tammer Saleh
VP Engineering, Pivotal CF, SF
http://pivotal.io | http://tammersaleh.com