CVE-2016-6639 PHP Buildpack exposes .profile file
Cloud Foundry Foundation
- PHP Buildpack versions prior to v4.3.18
- Cf-release versions prior to v242
The .profile file, which can potentially include environment variables and credentials, is exposed by default in the PHP Buildpack. The PHP buildpack prior to v4.3.18 did not actually allow for execution of the .profile file, so it is unlikely that many applications were using it.
Affected VMware Products and Versions
- Cloud Foundry PHP buildpack versions prior to 4.3.18
- New installations of PCF Elastic Runtime versions prior to 1.6.38 and 1.7.x versions prior to 1.7.19
Users of affected versions should apply the following mitigation:
- For existing deployments, upgrade the PHP Buildpack to v4.3.18 or later  and restage all applications that use automated buildpack detection.
- Immediately rotate credentials for apps using the PHP buildpack if they were stored in the .profile file.
- For new deployments, install PCF Elastic Runtime 1.6.38 or later or for 1.7.x versions install v1.7.19 or later.
Cloud Foundry Buildpacks Team
2016-09-07: Initial vulnerability report published