CVE-2016-6658 Incomplete fix for Credential Vulnerability for Custom Buildpacks
Severity
Medium
Vendor
Cloud Foundry Foundation
Versions Affected
- cf-release versions prior to 245
Description
This CVE addresses an incomplete fix for CVE-2016-6638, a credential vulnerability in the Cloud Controller database.
Original text of CVE-2016-6638: Applications can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repository. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
Affected VMware Products and Versions
- PCF Elastic Runtime:
- All versions prior to 1.6.49
- 1.7.x versions prior to 1.7.31
- 1.8.x versions prior to 1.8.11
Mitigation
OSS users are strongly encouraged to follow the mitigation below:
- Upgrade to Cloud Foundry v245 [1] or later
Users of affected Pivotal Products are strongly encouraged to follow the mitigation below:
- Upgrade Pivotal Cloud Foundry Elastic Runtime to 1.6.49 or later OR 1.7.x versions to 1.7.31 or later OR 1.8.x versions to 1.8.11 or later
Credit
Cloud Foundry Cloud Controller Team
References
History
2016-09-07: Initial vulnerability report published for CVE-2016-6638
2016-11-02: Vulnerability report published for CVE-2016-6658