Re: CVE-2016-9882: Cloud Foundry Logs Service Credentials


Nicholas Calugar
 

Hi Mike,

That’s a valid point. We [1] changed the default log level from debug2 to
info in CF-239, however, we think a lot of production Cloud Foundry
deployments may still use verbose logging levels.

[1]
https://github.com/cloudfoundry/cloud_controller_ng/commit/46d882888d45a3b8ce8e0766e5f85b7abe2673d2


Nick
--
Nicholas Calugar

On January 9, 2017 at 4:13:31 PM, Mike Youngstrom (youngm(a)gmail.com) wrote:

It appears this only applies if you have debug enabled on the cloud
controller. Correct?

https://github.com/cloudfoundry/cloud_controller_ng/commit/21b9db9d1a58b9154f65404b34bf2e9e4c6260ae

On Mon, Jan 9, 2017 at 11:28 AM, Molly Crowther <mcrowther(a)cloudfoundry.org>
wrote:

The following CVE has been announced on cloudfoundry.org/security.

https://www.cloudfoundry.org/cve-2016-9882/
Severity

Medium
Vendor

Cloud Foundry Foundation
Versions Affected

- cf-release versions prior to v250
- CAPI-release versions prior to v1.12.0

Description

Cloud Foundry logs the credentials returned from service brokers in Cloud
Controller system component logs. These logs are written to disk and often
sent to a log aggregator via syslog.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

- Upgrade to Cloud Foundry v250 [1
<https://github.com/cloudfoundry/cf-release/releases/tag/v250>] or
later
- For CAPI-Release users
-
- Upgrade to CAPI-Release v1.12.0 [2
<https://github.com/cloudfoundry/capi-release/releases/tag/1.12.0>]
or later

References

- [1] https://github.com/cloudfoundry/cf-release/releases/tag/v250
- [2] https://github.com/cloudfoundry/capi-release/releases/tag/1.12.0

History

2017-01-09: Initial vulnerability report published

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.