- cf-deployment all versions prior to 1.14.0
- routing-release all versions prior to 0.172.0
We are currently waiting on PAS patches. All versions of PAS have this vulnerability. Whether a particular customer is affected depends on their Load Balancer configuration.
The following information has been sent to cf-dev and can be considered public.
The details are captured in https://www.cloudfoundry.org/blog/cve-2018-1221/
Description of the exploit:
The vulnerability with the WebSockets implementations in Gorouter is seen.
The vulnerability is exposed when:
The LB recognizes HTTP requests (L7) and requests a WebSocket upgrade to Gorouter
The LB leverages HTTP keepalive connections to Gorouter
AWS Classic ELBs do no support WebSocket requests in HTTP mode and so do not expose the vulnerability. While AWS ALBs (Application Load Balancer) do support WebSockets in HTTP mode and so expose the vulnerability.
Developers with access to cf push are able to exploit this vulnerability in vulnerably installations to gather sensitive data, potentially including usernames and passwords, jwt/OAuth tokens, and UAA client ids and secrets.
How to tell if your CF installation is affected
Your CF installations are affected if ANY of the following are true:
Your load balancer recognizes HTTP requests (L7) AND will initiate a websocket handshake with Gorouter when the client initiates one AND the load balancer leverages HTTP keepalive connections to Gorouter
You are using AWS Application Load Balancers (ALB)
How to tell if your CF installation is NOT affected
Your CF installations are not affected if ANY of the following are true:
You are using LBs that are not HTTP-aware; they are passing through requests to Gorouter over TCP
Your load balancer does not use HTTP keepalive connections to Gorouter
You are using AWS Classic ELBs (these load balancers must be configured in TCP mode to support WebSockets; they do not support the WebSocket protocol in HTTP mode)
How to tell if your installation has been exploited
If requests for routes are intermittently routed to unexpected applications and unexpected responses are received. E.g. a request from cf CLI made to log into CF receives an unexpected or non-standard response.
If the number of HTTP requests the load balancer has a record of is far more than the number that all Gorouters know about, this could be an indication that Gorouter is sending these HTTP requests over what it considers to be an upgraded WebSocket connection.
- For OSS: Patch the gorouter using the latest routing-release or cf-deployment.
- For PCF: Wait for PAS upgrades to become available.
- Rotate BOSH credentials once the patch is applied.