Headline
CVE-2023-20881: CVE-2023-20881: CAs for syslog-drain mtls feature can be overwritten | Cloud Foundry
Cloud foundry instances having CAPI version between 1.140 and 1.152.0 along with loggregator-agent v7+ may override other users syslog drain credentials if they’re aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection.
Severity
Medium
Vendor
Cloud Foundry Foundation
Description
Users on cf may override other users syslog drain credentials if they’re aware of the client certificate used for that syslog drain. This applies even if the drain has zero certs. This would allow the user to override the private key and add or modify a certificate authority used for the connection leading to Denial of Service attack or causing the drain to permit bad certificates.
Affected Cloud Foundry Products and Versions
Severity is medium unless otherwise noted.
- CAPI
- All versions between 1.140 and 1.152.0
- Loggregator-agent v7+
- CF Deployment
- All versions between 24.7.0 and 29.0.0
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:
- CAPI
- Upgrade all versions to 1.152.0 or greater
- CF Deployment
- Upgrade all versions to 29.0.0 or greater
Credit
This issue was reported by Felix Hambrecht.
References
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:H
History
2023-05-18: Initial vulnerability report published.
Sign up for the
Cloud Foundry Newsletter today!