CVE-2016-5006 Cloud Controller API logs user-provided service credentials


Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected
  • Cloud Foundry releases prior to v239
Description

When creating a user-provided service (UPS) in Cloud Foundry, the Cloud Controller logs the entire UPS object including the credentials provided by the user.

Affected Pivotal Products and Versions
  • PCF Elastic Runtime versions prior to 1.6.33 AND 1.7.x versions prior to 1.7.11
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that users upgrade to Cloud Foundry v239 [1] or later
  • Upgrade PCF Elastic Runtime to 1.6.33 or later OR 1.7.x versions to 1.7.11 or later
  • Rotate all credentials associated with user-provided services for affected deployments. Refer to this document for more information.
References
History

2016-07-26: Initial vulnerability report published