search

cloudfoundry-incubator / kubecf

Cloud Foundry on Kubernetes
Apache License 2.0
115 stars 62 forks source link

CAPI logs service broker credentials (CVE-2021-22115) #1732

Open jbuns opened 3 years ago

jbuns commented 3 years ago

Describe the bug As per the CVE's description:

Cloud Controller API versions prior to 1.106.0 logs service broker credentials if the default value of db logging config field is changed. CAPI database logs service broker password in plain text whenever a job to clean up orphaned items is run by Cloud Controller. A malicious user with access to those logs may gain unauthorised access to service broker.

https://www.cloudfoundry.org/blog/cve-2021-22115-capi-logs-service-broker-credentials/

To Reproduce N/A

Expected behavior CAPI shouldn't log service broker credentials

Environment

The latest version of KubeCF 2.7.13 is currently using

- name: capi
  url: https://bosh.io/d/github.com/cloudfoundry/capi-release?v=1.98.0
  version: 1.98.0
  sha1: e4b0b8a1ef10b71da5b09248150c3295197ee0b6

Additional context Add any other context about the problem here.

jbuns commented 3 years ago

Looks like fix is already planned here: https://github.com/cloudfoundry-incubator/kubecf/issues/1730

jandubois commented 3 years ago

@jbuns I've looked at this CVE before, but think it is really a low priority for kubecf because of:

if the default value of db logging config field is changed

kubecf doesn't change the default value, and doesn't expose a simple way to modify it, so standard deployments are unaffected. And the workaround to fix this is simply to revert the db logging field to its default value. This is really a debugging setting which should typically not be enabled in a production environment.

We will of course address this automatically whenever we do another release, which will bump cf-deployment. This was mostly held up because we lost CI for the last 6 weeks or so. It is back now, but upgrade tests are still problematic and may need some pipeline work.