CVE-2016-6658 Incomplete fix for Credential Vulnerability for Custom Buildpacks
Cloud Foundry Foundation
- cf-release versions prior to 245
This CVE addresses an incomplete fix for CVE-2016-6638, a credential vulnerability in the Cloud Controller database.
Original text of CVE-2016-6638: Applications can be configured and pushed with a user-provided custom buildpack using a URL pointing to the buildpack. Although it is not recommended, a user can specify a credential in the URL (basic auth or OAuth) to access the buildpack through the CLI. For example, the user could include a GitHub username and password in the URL to access a private repository. Because the URL to access the buildpack is stored unencrypted, an operator with privileged access to the Cloud Controller database could view these credentials.
- PCF Elastic Runtime:
- All versions prior to 1.6.49
- 1.7.x versions prior to 1.7.31
- 1.8.x versions prior to 1.8.11
OSS users are strongly encouraged to follow the mitigation below:
- Upgrade to Cloud Foundry v245  or later
Users of affected Pivotal Products are strongly encouraged to follow the mitigation below:
- Upgrade Pivotal Cloud Foundry Elastic Runtime to 1.6.49 or later OR 1.7.x versions to 1.7.31 or later OR 1.8.x versions to 1.8.11 or later
Cloud Foundry Cloud Controller Team
2016-09-07: Initial vulnerability report published for CVE-2016-6638
2016-11-02: Vulnerability report published for CVE-2016-6658