|
Command Injection Vulnerability
Rasheed Abdul-Aziz
The Cloud Foundry Foundation and Pivotal Inc discovered an exploit for
remote command injection. It's long been fixed, however we realized that many community projects still contain the exploit. If you are responsible for any of the following repositories, please consider patching them soon. The patch is described in the detailed report <https://docs.google.com/document/d/1MOJPOR_fNjvhu2zcEvLm632Dmd2HGp71UCrSmyOHcFs/pub> This exploit <http://pivotal.io/security/cve-2016-6655>exists in the following projects. We've highlighted the affected lines *docker-registry-boshrelease* https://github.com/cloudfoundry-community/docker-registry-boshrelease/blob/ master/src/common/utils.sh#L4-L5 *stackdriver-tools* https://github.com/cloudfoundry-community/stackdriver-tools/blob/master/ src/common/utils.sh#L3-L4 *hazelcast* https://github.com/cloudfoundry-community/hazelcast/blob/master/ hazelcast-enterprise-for-pcf/release/src/common/utils.sh#L4-L5 https://github.com/cloudfoundry-community/hazelcast/blob/master/ hazelcast-for-pcf/release/src/common/utils.sh#L4-L5 https://github.com/cloudfoundry-community/hazelcast/blob/master/ hazelcast-mancenter-for-pcf/release/src/common/utils.sh#L4-L5 *gogs-boshrelease* https://github.com/cloudfoundry-community/gogs-boshrelease/blob/master/src/ common/utils.sh#L4-L5 *bosh-softlayer-pool-server-release* https://github.com/cloudfoundry-community/bosh- softlayer-pool-server-release/blob/master/jobs/vps/ templates/pid_utils.sh.erb#L3-L4 Kind Regards, Rasheed Abdul-Aziz And Zamir Johl Pivotal Inc Security Triage Team. |
|
|
|
Re: CF-extensions monthly recurring (last Monday) meeting - next on Monday 30, January 2017
Dieu Cao <dcao@...>
Hi Max,
I highly recommend not using appear.in for meetings with multiple people. I've had many bad experiences lately when more than one person is on the call. -Dieu On Mon, Jan 23, 2017 at 1:42 PM, Michael Maximilien <maxim(a)us.ibm.com> wrote: fyi... |
|
|
|
Re: Routing for Isolation Segments
Hi Shannon,
toggle quoted message
Show quoted text
Thanks for the feedback solicitation on this feature, and for sharing the inception summary material with the community. In the case of Orange, the partitioned routing table is a must for running IS in production. The Access control would be useful as to enhance the user experience in the CLI, and reduce troubleshooting burden to CF operators, but wouldn't account to the security ratings evaluated for onboarding sensitive apps in CF. We see it important as well but of lower priority than partitioned routing table. One use case we have for IS is to have an IS for production internet facing application, and one IS for intranet facing application.The partitioned routing table protects intranet facing applications being exposed on the internet in case of a faulty load balancer configuration. I added also some misc comments to the inception summary slides. Besides, I did not see mention in the summary material of the access control to NATS or routing API per isolation segment, as to account for the discussed compromise scenario [1] below. This is likely to be a must for our organization to be able to leverage isolation segments: CVE-2016-6655 [2] makes some people in our organization judge that such vulnerabilities make the compromise scenario below realistic and too risky for some of our applications that would have liked to benefit a CF instance leveraging IS. Compromise scenario: the compromise of an IS1 could allow an attacker to compromise another IS2 through the shared control plane (NATS or routing API in this case). Potentially exploitable compromise across IS could be (in the case of the shared routing control plane) to alter another IS routing table resulting in: - denial of service (unregistering all routes into another IS), - routing traffic to a malicious route service, being therefore able to sniff all traffic from another IS. I wonder whether there is still a 2nd phase plan to address this compromise scenario and if so, if you could share some details. Thanks again, Guillaume. [1] https://docs.google.com/document/d/1FFW8YwKeBK1DuSXFHH_wxGpSZpOpkPN5yOUB-03whsI/edit?disco=AAAAA4X5De0 [2] http://cf-dev.70369.x6.nabble.com/cf-dev-CVE-2016-6655-Utility-script-command-injection-tt5922.html#a5961 On Wed, Jan 25, 2017 at 3:12 AM, Mike Youngstrom <youngm(a)gmail.com> wrote:
Got it, so what I said before hold. We view access control as a must and |
|
|
|
[it-infrastructure-alerts] Thursday, January 25th, 6PM PT Mailman 3 Upgrade
Chip Childers <cchilders@...>
FYI Lists will blip
---------- Forwarded message --------- From: Jordan Evans <jevans(a)linuxfoundation.org> Date: Wed, Jan 25, 2017 at 4:45 PM Subject: [it-infrastructure-alerts] Thursday, January 25th, 6PM PT Mailman 3 Upgrade To: IT Infrastructure Alerts <it-infrastructure-alerts(a)linuxfoundation.org> What: Core IT's Mailman 3 web interface will be brought down for a minor upgrade. Expected downtime is 10 minutes. Two further emails will be sent when the maintenance begins and when it is complete. When: 6:00 PM PT, January 25th 2017 Affected: lists.cloudfoundry.org lists.zephyrproject.org lists.odpi.org All mailman 2 hosts are unaffected by this. -- You received this message because you are subscribed to the Google Groups "IT Infrastructure Alerts" group. To unsubscribe from this group and stop receiving emails from it, send an email to it-infrastructure-alerts+unsubscribe(a)linuxfoundation.org. -- You received this message because you are subscribed to the Google Groups "Foundation Staff" group. To unsubscribe from this group and stop receiving emails from it, send an email to foundation-staff+unsubscribe(a)cloudfoundry.org. To post to this group, send email to foundation-staff(a)cloudfoundry.org. To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/foundation-staff/CAJSkqOyrgf3t1nYn0MxRpsnBD5eMTDn-dcrqFbbKtAhQmB17ZA%40mail.gmail.com . -- Chip Childers CTO, Cloud Foundry Foundation 1.267.250.0815 |
|
|
|
Re: Incubation proposal: Abacus Service Broker
Thanks Max.
toggle quoted message
Show quoted text
Using the opportunity to remind of the Abacus Broker inception on January 31st @ 10a PST Use the following link to add it to your calendar: https://calendar.google.com/calendar/event?action=TEMPLATE&tmeid= dDJwNmg5Z3ViN2NpOGozdGxoZ3Y0b3ZpamMgaHNpbGlldkBt&tmsrc=hsiliev%40gmail.com All connection details are on the Google Calendar invite link. Regards, Hristo Iliev 2017-01-21 0:15 GMT+02:00 Michael Maximilien <mmaximilien(a)gmail.com>: Hi, |
|
|
|
Re: Routing for Isolation Segments
Mike Youngstrom <youngm@...>
Got it, so what I said before hold. We view access control as a must and
toggle quoted message
Show quoted text
partitioned routing table a nice to have. Thanks, Mike On Tue, Jan 24, 2017 at 6:36 PM, Shannon Coen <scoen(a)pivotal.io> wrote:
Hi Mike, |
|
|
|
Re: Routing for Isolation Segments
Shannon Coen
Hi Mike,
toggle quoted message
Show quoted text
Thank you for the feedback. Without access control for domains, a developer could map route foo.example.com (for which the LB will route requests only to the router group for IS-1) to an app in a space associated with IS-2. If the routing table is not partitioned, both router groups will have the route in their routing tables. If the LB is correctly configured, it will route requests for foo.example.com only to the router group for IS-1. The routers will attempt to route the request. Assuming the firewalls are configured correctly, the routers will return a 502. If the routing table is partitioned, only the router group for IS-2 will have the route in its routing table. If the LB is correctly configured, it will route requests for foo.example.com only to the router group for IS-1. The routers will reject the request immediately, returning a 404. Either way, the developer is set up for failure. Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Tue, Jan 24, 2017 at 9:05 AM, Mike Youngstrom <youngm(a)gmail.com> wrote:
Question, Just want to make sure I'm following you. In your Access Control |
|
|
|
Re: Pending Proposals for CF-Extensions for 2017
Michael Maximilien
Thanks. Updated. Best,
max On Mon, Jan 23, 2017 at 8:28 PM, Takahito SEYAMA <t.seyama20(a)gmail.com> wrote: Hi Michael, -- max http://maximilien.org http://blog.maximilien.com |
|
|
|
Re: Routing for Isolation Segments
Mike Youngstrom <youngm@...>
Question, Just want to make sure I'm following you. In your Access Control
toggle quoted message
Show quoted text
example you mention that without access control a developer would be able to create a route to foo.example.com in a space associated with IS-2, but, that "route will fail". Is this example assuming that the "Partitioning the Routing Table" feature was implemented, a properly configured firewalls, or would the route fail for some other reason? I think for our use cases we only require Access Control. We are capable of configuring our firewalls and such correctly. :) Partitioned routing tables would be nice too but I think a lower priority. Mike On Mon, Jan 23, 2017 at 6:24 PM, Shannon Coen <scoen(a)pivotal.io> wrote:
Last week the CF Routing team incepted on enhancements for dedicated |
|
|
|
Re: Pending Proposals for CF-Extensions for 2017
Takahito SEYAMA
Hi Michael,
toggle quoted message
Show quoted text
Thank you for adding "Private Stacks" to the list. I'm sorry I haven't told you about my affiliation. Please fix it to "owner company: NTT Communications" . Regards, NTT Communications t.seyama 2017-01-21 7:54 GMT+09:00 Michael Maximilien <maxim(a)us.ibm.com>: Hi, all, |
|
|
|
Routing for Isolation Segments
Shannon Coen
Last week the CF Routing team incepted on enhancements for dedicated
deployments of the CF routers for isolation segments. - Original proposal <https://docs.google.com/document/d/1FFW8YwKeBK1DuSXFHH_wxGpSZpOpkPN5yOUB-03whsI/edit?usp=sharing> - Summary <https://docs.google.com/presentation/d/1D4aguVXHtTGdhFPAqAC1exZd0Nrh2o4VO3PR4kmHvq4/edit?usp=sharing> For those of you who are looking forward to leveraging isolation segments for your use cases, we'd like to know whether you would be inclined to use dedicated routing tiers for isolation groups in production without the proposed enhancements below, or whether you would require either/both of the enhancements we have in mind. *Current Support* With compute-only isolation, an application can be deployed to an isolated pool of Diego Cells. On its own, this design will rely on a shared routing tier with access to all isolation segments. This requires an operator to carefully configure their load balancer and firewall rules to prevent an attacker using a spoofed Host header to reach an application that shouldn't be publicly routable. An operator can currently deploy dedicated deployments of routers for an isolation segment but the routing table will be shared among them. Should a misconfigured load balancer forward a request to routers for an app on another isolation segment, the routers will attempt to route the request. If the firewall is correctly configured, the router will return a 502. If the firewall is misconfigured, a private app may be publicly accessible. *Proposed Enhancement: Partitioning the Routing Table* By partitioning the routing table, routers dedicated to a isolation segment will only route requests for apps in an associated isolation segment; if a load balancer were misconfigured, and a request for an app in another isolation segment were forwarded to the routers, a 404 would be returned. *Proposed Enhancement: **Access Control* An org may have multiple domains and multiple isolation segments. A space is associated with only one isolation segment. Example: if the operator has configured their LB to point *.foo.example.com at routers for isolation segment IS-1 and *.bar.example.com at routers for isolation segment IS-2, there's nothing preventing an app developer from creating a route from domain foo.example.com in a space associated with IS-2. Requests to the route will fail and the developer would not know why. To prevent this, we'll enable API clients to filter domains by targeted space, so that a developer only sees domains from which they can create working routes. *Your Feedback* Please let us know if you would require either of these enhancements for routing to isolation segments in your production environments. Thank you, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. |
|
|
|
CF-extensions monthly recurring (last Monday) meeting - next on Monday 30, January 2017
Michael Maximilien
fyi...
Join me on 30 January 2017 @ 11a PDT for our monthly recurring meeting.
Online meeting: https://appear.in/cf-extensions
Use the following link to add it to your calendar:
I plan to hold the meeting at Pivotal when I am there, so ping me on the #cf-extensions slack channel if you want to participate live. All other details are on the Google Calendar invite link. Talk soon.
Best,
------ dr.max ibm cloud labs silicon valley, ca maximilien.org |
|
|
|
Re: Considering deprecation of the HAProxy in cf-release
Shannon Coen
HAProxy in cf-release has the same limitation, so removal of it would be no worse. I believe a battery-included load balancer still provides benefits toHistorically, we've taken the approach that BOSH releases can be deployed to any infrastructure that BOSH supports, and that all features in a BOSH release are infrastructure agnostic. As AWS doesn't support the feature you've mentioned, this would be an infrastructure-specific feature. I wonder whether it could make sense to incubate theThat sounds interesting.
|
|
|
|
Re: Proposed changes to Gorouter log message format
Shannon Coen
Hello Carlo,
There are no plans to use Zap in other components. Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Sun, Jan 22, 2017 at 5:12 PM, Carlo Alberto Ferraris < carlo.ferraris(a)rakuten.com> wrote: Shannon, |
|
|
|
Re: Considering deprecation of the HAProxy in cf-release
Hi Shannon,
Sorry for late delay on this. Historically, HAProxy has fulfilled two use cases: load balancing and TLStermination. Since support for TLS termination was added to Gorouter, load balancing may be the remaining use case. I understand the gorouter still only supports serving a single TLS certificate [1], which makes it hard to support distinct api and app https domains, which is often useful in lab environments. I believe a battery-included load balancer still provides benefits to small production environments which can't leverage out of the box load balancer solution. Orange started contributing redundancy/HA support to the cf-community haproxy bosh release, in the form of an active/passive fail over leveraging keep-alived through VRRP protocol [2]. While this needs further work to work in constrained cloud environments (without multicast and gratuitous ARP support, such as AWS), it is likely these environments provide out of the box their own production-grade load balancer construct, or support for them can be added on top of keep-alived using unicast as Iaas-specific features such as floating IPs. I wonder whether it could make sense to incubate the cloudfoundry-community/haproxy-boshrelease as to preserve such portable battery-included load balancer and keep hard cloud prerequisites low for newcomers/evaluations. Regards, Guillaume. [1] http://bosh.io/jobs/gorouter?source=github.com/cloudfoundry/cf-release&version=251#p=router.ssl_cert [2] https://github.com/cloudfoundry-community/haproxy-boshrelease/pull/39 On Fri, Jan 13, 2017 at 9:25 PM, Shannon Coen <scoen(a)pivotal.io> wrote: Over that past year or two, CF teams have been extracting components from |
|
|
|
Re: Proposed changes to Gorouter log message format
Carlo Alberto Ferraris
Shannon,
Are there plans to extend the use of zap to all CF components? Thanks, Carlo |
|
|
|
Pending Proposals for CF-Extensions for 2017
Michael Maximilien
Hi, all,
I am trying to get a handle on all pending proposals to CF-Extensions as well as anything proposed to CF that is now orphaned or would like to be considered in the CF-Extensions PMC. I have a list [1], however, I am sure it is not complete.
Please, if you have a proposal pending fitting above and it's not listed please add it or respond here or to me directly so I add and start tracking.
Thanks, [1] https://docs.google.com/document/d/1aKmxFdGC4GnXBIZMx0qdIawHrEIRSjBOzB-spoPlbM8/edit?usp=sharing
------ dr.max ibm cloud labs silicon valley, ca maximilien.org |
|
|
|
Re: Incubation proposal: Abacus Service Broker
Michael Maximilien
Hi,
As discussed today, I will be happy to help you run the inception. If anyone else (with more experience) was interested in helping, please ping me and Hristo. See you all (virtually) online on the 31st. Best, Max On Mon, Nov 28, 2016 at 1:29 PM, Michael Maximilien <mmaximilien(a)gmail.com> wrote: Hi, all, -- max http://maximilien.org http://blog.maximilien.com |
|
|
|
Re: [ PHP ] Best config practices
Nicholas Calugar
Dan,
toggle quoted message
Show quoted text
I’m concerned that .user.ini and .htaccess files are processed for every request. This is a no-no for production apps. As for overriding the entire php.ini, I’m in favor of extensibility. This way when a new version of PHP ships with a new default php.ini, I don’t have to update my application. Do you have an example of how to override PHP configuration in an extensible manner? -Nick -- Nicholas Calugar On January 20, 2017 at 10:49:59 AM, Daniel Mikusa (dmikusa(a)pivotal.io)
wrote: On Fri, Jan 20, 2017 at 1:27 PM, Nicholas Calugar <ncalugar(a)pivotal.io> wrote: You may also want to look into [1] .user.ini files.This is probably not necessary as there's a bunch of ways to override PHP config currently. You mentioned `.user.ini` files which is a great option, you can also use `.htaccess` files assuming you're using HTTPD which is the default web server configured by the build pack, you can override the entire default build pack php.ini with the method mentioned here [2] and you can do dynamic generation as I mentioned in `.profile` / `.profile.d`. Dan [2] - https://docs.cloudfoundry.org/buildpacks/php/gsg-php-config.html#engine-configurations
|
|
|
|
Re: CF Java Client
Chenulu P
Thanks Ben. I will try with the new Java Client.
|
|
|