Closed chenl23 closed 5 years ago
We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.
The labels on this github issue will be updated when the story is started.
Please hold off on adopting v1.15 because of a regression issue found with using cf oauth-token
with client credential. Team is planning to deliver v1.16.
@chenl23 cf notifications doesn't use any of those features, so I'm unsure why there is a need to bump.
@osis Even if your product does not use the above mentioned #1,#2,#3 use cases, someone can still exploit the system by running those CF CLI commands since they are available. Unless notification does not use CF CLI, then there is no chance of that happening. cc @abbyachau
@chenl23 The CF CLI exists in CF Notifications in the form of an ephemeral VM when deployed. The CF CLI does not stick around for general use at any time. Will be dealt with via the next maintenance cycle.
@osis FYI, CLI BOSH v1.16.0 is available. Please adopt it.
Important: Please read the release notes for a known issue with log-cache; we expect this to affect users running CATs in particular.
This request if for both notifications and notifications-ui releases.
What
Please adopt the CF-CLI BOSH Release v1.16.0 and consider enabling auto-bumpng of the package.
Why
Security vulnerabilities in the cf CLI will require teams to update to the latest version of cf CLI in order to address the following:
Issue #1: Running cf login in verbose/debugging mode did not properly redact passwords which contains regex. This issue was introduced in the CF CLI in May 2018.
Status: Fixed in CF-CLI Bosh Release 1.13
Details: See tracker story
Issue #2: Running cf CLI commands in verbose/debugging did not properly redact refresh tokens. This has been a known issue since approximately 2014.
Status: Fixed in CF-CLI Bosh Release 1.13
Details: See tracker story
Issue #3: When a user uses
cf auth --client-credentials
to authenticate as a client, the CF CLI writes the client id and secret to its config.json file. This issue was introduced in the CF CLI in March 2018.Status: Fixed in CF-CLI Bosh Release 1.15
Details: See tracker story
When
Please prioritize as these issues have been identified by the Security team as High severity CVEs
Any Questions, please reach out to the CF CLI team on Pivotal Slack at #cf-cli