search

cloudfoundry / notifications

The notifications service component of Cloud Foundry
Apache License 2.0
17 stars 22 forks source link

Request to bump to CF-CLI BOSH Release v1.16 #27

Closed chenl23 closed 5 years ago

chenl23 commented 5 years ago

This request if for both notifications and notifications-ui releases.

What

Please adopt the CF-CLI BOSH Release v1.16.0 and consider enabling auto-bumpng of the package.

Why

Security vulnerabilities in the cf CLI will require teams to update to the latest version of cf CLI in order to address the following:

Issue #1: Running cf login in verbose/debugging mode did not properly redact passwords which contains regex. This issue was introduced in the CF CLI in May 2018.

Issue #2: Running cf CLI commands in verbose/debugging did not properly redact refresh tokens. This has been a known issue since approximately 2014.

Issue #3: When a user uses cf auth --client-credentials to authenticate as a client, the CF CLI writes the client id and secret to its config.json file. This issue was introduced in the CF CLI in March 2018.

When

Please prioritize as these issues have been identified by the Security team as High severity CVEs

Any Questions, please reach out to the CF CLI team on Pivotal Slack at #cf-cli

cf-gitbot commented 5 years ago

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

chenl23 commented 5 years ago

Please hold off on adopting v1.15 because of a regression issue found with using cf oauth-token with client credential. Team is planning to deliver v1.16.

osis commented 5 years ago

@chenl23 cf notifications doesn't use any of those features, so I'm unsure why there is a need to bump.

chenl23 commented 5 years ago

@osis Even if your product does not use the above mentioned #1,#2,#3 use cases, someone can still exploit the system by running those CF CLI commands since they are available. Unless notification does not use CF CLI, then there is no chance of that happening. cc @abbyachau

osis commented 5 years ago

@chenl23 The CF CLI exists in CF Notifications in the form of an ephemeral VM when deployed. The CF CLI does not stick around for general use at any time. Will be dealt with via the next maintenance cycle.

chenl23 commented 5 years ago

@osis FYI, CLI BOSH v1.16.0 is available. Please adopt it.

Important: Please read the release notes for a known issue with log-cache; we expect this to affect users running CATs in particular.