CVE-2016-0896 IaaS Metadata Endpoint Accessible from Application Containers


Severity

High

Vendor

Pivotal

Description

As of PCF Elastic Runtime 1.3.0, application containers have a block-by-default network access policy. To enable network access to application containers, PCF Elastic Runtime 1.3.0 introduced a feature called Application Security Groups (ASGs). ASGs are sets of protocols, destinations, and ports an application container may access. Refer to this document for more information about ASGs.

For PCF Elastic Runtime deployments first installed using a version up to and including 1.6.24 and 1.7.2, an ASG named "all_open" was automatically bound to the default-staging and default-running ASG sets during installation. In PCF Elastic Runtime 1.6.25 and 1.7.3 this ASG was replaced by one named "default_security_group", which excludes the 169.254.169.254 endpoint used by multiple IaaS providers, including AWS EC2 and OpenStack, for instance metadata. As of PCF Elastic Runtime 1.6.34 and 1.7.12, this default ASG has been updated to include the entire set of link-local addresses in 169.254.0.0/16. However, installations that were upgraded from a version older than 1.6.34 and 1.7.12 may still have the overly-permissive default ASG.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • PCF Elastic Runtime deployments first installed using a version prior to 1.6.34 or 1.7.0 to 1.7.12
Mitigation

Users of affected versions should apply the following mitigation:

  • Modify the “all_open” Application Security Group to exclude 169.254.0.0/16 and restart all applications to ensure the ASG is applied.
  • Refer to this Pivotal Support knowledge base article for detailed instructions.
References