By Molly Crowther & Rasheed Abdul-aziz
On February 23, 2017 Cloudflare disclosed that a parser bug (colloquially known as "Cloudbleed") may have caused requests going through Cloudflare servers to return memory containing private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data, some of which had been cached by search engines.
Pivotal is currently investigating whether any Pivotal products may be affected by this vulnerability and the impact of the vulnerability on each affected product (if any). The initial results of our investigation are below. As the investigation progresses, Pivotal will update this blog post with information about any affected products, including any available workarounds or fixed software releases.
What happened?
The Cloudflare CDN (Content Delivery Network) is used to improve website performance by caching data in a global network.
According to Cloudflare, Google's Project Zero contacted them on February 17, 2017 to report a security problem with Cloudflare’s edge servers. Google engineers were seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. Cloudflare’s edge servers were apparently running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. This leaked data was not necessarily from the originating site if secondary requests were being made to other websites. Search engines cached some of that data.
This issue has existed since September 2016, with the greatest impact between February 13 and February 18, 2017. Within a few hours of being contacted by Project Zero, Cloudflare was able to mitigate the issue, and spent several days working with major search engines to clear their caches before going public with the bug.
What's the current state of Cloudbleed?
According to Cloudflare, the leak is no longer actively occurring. However, web caches and request caches may still contain leaked information. This means that leaked data could still be persisted in cached responses of other sites that use Cloudflare. Cloudflare is updating the results of its investigation here.
How might Pivotal customers be affected?
Pivotal does not incorporate Cloudflare into our products, but if a Pivotal customer chooses to use Cloudflare in connection with Pivotal products, it is possible that data may have been affected by the Cloudflare parser bug. In addition, Pivotal-related web properties—bosh.io and spring.io—use Cloudflare as a CDN, and we are continuing to investigate the effect of Cloudbleed on those web properties.
Pivotal Cloud Foundry
Pivotal Cloud Foundry is not affected by Cloudbleed unless customers are using Cloudflare as a CDN. For Pivotal Cloud Foundry users using Cloudflare as a CDN, we recommend rotation of the Pivotal Cloud Foundry operator or developer credentials associated with any applications or sites.
Pivotal Web Services (PWS)
PWS is not affected by Cloudbleed unless customers are using Cloudflare as a CDN. For PWS users using Cloudflare as a CDN, we recommend rotation of the PWS operator or developer credentials associated with any applications or sites.
Pivotal Network
Pivotal Network does not use Cloudflare as a CDN and is not affected by this issue.
Pivotal Tracker
Pivotal Tracker does not use Cloudflare as a CDN and is not affected by this issue.
Other Pivotal Products + Sites
Our investigation is ongoing, and we will continue to update this blog post as we have more information about other Pivotal products and services.
What should I do to investigate whether I have a problem?
Pivotal customers should investigate all of their applications and websites. Follow the steps below to identify if you might be vulnerable.
-
Does the site or app use Cloudflare as a CDN?
-
No – You are probably not vulnerable
-
Yes – Continue
-
-
Does it expose sensitive information over HTTP?
-
No – Continue
-
Yes – You are potentially vulnerable to a leak of sensitive information. More details can be found on the Cloudflare blog.
-
-
Does it expose sensitive information over HTTPS and use either a Cloudflare SSL/TLS certificate or an SSL/TLS certificate you uploaded to Cloudflare (so it could effectively cache HTTPS)?
-
No – You are probably not vulnerable
-
Yes – You are potentially vulnerable to a leak of sensitive information. More details can be found on the Cloudflare blog.
-
Who can I contact at Pivotal for help?
If you have any questions or concerns related to Cloudbleed and how it affects Pivotal products, please contact [email protected].
If you have concerns about Cloudbleed that are not Pivotal-related, please contact Cloudflare or your organization's IT team.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. PIVOTAL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. PIVOTAL EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.