Please see the following CVE (also available at
https://www.cloudfoundry.org/cve-2017-4970/).

To always be up to date with OSS Cloud Foundry CVE notices, please check
out the #security channel in the Cloud Foundry slack or subscribe to
https://www.cloudfoundry.org/category/security/feed/ in your favorite feed
reader.

Thanks,
Molly Crowther
CFF Security Team


April 10, 2017
CVE-2017-4970: Staticfile buildpack ignores basic authentication when
misconfiguredSeverity

High
Vendor

Cloud Foundry Foundation
Versions Affected

- cf-release v255
- Staticfile buildpack versions v1.4.0 – v1.4.3

Description

A regression introduced in the Staticfile buildpack causes the
Staticfile.auth configuration to be ignored when the Staticfile file is not
present in the application root. Applications containing a Staticfile.auth file
but not a Staticfile had their basic auth turned off when an operator
upgraded the Staticfile buildpack in the foundation to one of the
vulnerable versions. Note that Staticfile applications without a Staticfile are
technically misconfigured, and will not successfully detect unless the
Staticfile buildpack is explicitly specified.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

- For existing deployments, upgrade the Staticfile Buildpack to v1.4.4
or later [1] and restage all applications that use the Staticfile Buildpack.
- Upgrade to cf-release v256 [2] when available.

References

- [1] https://github.com/cloudfoundry/staticfile-buildpack/releases
- [2] https://github.com/cloudfoundry/cf-release/releases

History

2017-04-10: Updated mitigation to apply to all apps using the Staticfile
buildpack instead of just apps with detection

2017-04-10: Initial vulnerability report published