CVE-2016-5006 Cloud Controller API logs user-provided service credentials
Severity
High
Vendor
Cloud Foundry Foundation
Versions Affected
- Cloud Foundry releases prior to v239
Description
When creating a user-provided service (UPS) in Cloud Foundry, the Cloud Controller logs the entire UPS object including the credentials provided by the user.
Affected VMware Products and Versions
- PCF Elastic Runtime versions prior to 1.6.33 AND 1.7.x versions prior to 1.7.11
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends that users upgrade to Cloud Foundry v239 [1] or later
- Upgrade PCF Elastic Runtime to 1.6.33 or later OR 1.7.x versions to 1.7.11 or later
- Rotate all credentials associated with user-provided services for affected deployments. Refer to this document for more information.
References
History
2016-07-26: Initial vulnerability report published