CVE-2016-0708 Remote Information Disclosure


Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected
  • Cloud Foundry v166 through v227
  • Cloud Foundry Java Buildpack v2.0 through v3.4
Description

Applications deployed to Cloud Foundry may be vulnerable to a remote disclosure of information, including, but not limited to environment variables and bound service details. For applications to be vulnerable, they must have been staged using automatic buildpack detection, passed through the Java Buildpack detection script, and allow the serving of static content from within the deployed artifact. The default Apache Tomcat configuration in the affected java buildpack versions for some basic web application archive (WAR) packaged applications are vulnerable to this issue.

Affected Pivotal Products and Versions
  • Pivotal Cloud Foundry Elastic Runtime 1.4.0 through 1.4.5
  • Pivotal Cloud Foundry Elastic Runtime 1.5.0 through 1.5.10
  • Pivotal Cloud Foundry Elastic Runtime 1.6.0 through 1.6.10
Mitigation

Pivotal customers should follow one of the mitigations below:

  • Upgrade to Elastic Runtime 1.5.11 and later versions of 1.5.x
  • Upgrade to Elastic Runtime 1.6.11 and later versions of 1.6.x

Cloud Foundry OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v228 or later using a configuration option that remediates the issue. Details of the required configuration option are available on the cf-release v228 github release page [1] and the diego-release v0.1446.0 github release page [2]
  • Upgrade the Java Buildpack to v3.5.1 [3] or later and restage all applications that use automated buildpack detection

If only the Java Buildpack mitigation is used, it is required that all applications using automated buildpack detection are re-staged to remediate this issue.

If the upgrade to Elastic Runtime or Cloud Foundry v228 or later with the configuration option mitigation is used, running applications will no longer contain the sensitive information. It is still recommended to ask users to restage all applications that use automated buildpack detection so that sensitive information is not written to disk.

It is possible that sensitive application information may have been disclosed before the remediation, therefore it is recommended that applications using automated buildpack detection rotate credentials including environment variables for bound services, user-provided service instances, and developer provided environment variables. Most Service Brokers provide new credentials to each application using an unbind-service and bind-service sequence of commands.

References
History

2015-Jan-18: Initial vulnerability report published.

2016-Jan-20: Follow-on CVE-2016-0715 announced [4], release note configuration instructions updated, and Elastic Runtime 1.5.12 and 1.6.12 versions released.