CVE-2022-31733

Vulnerability

In Cloud Foundry, a bug in diego-release versions 2.55.0 through 2.69.0 (inclusive) and cf-deployment versions 17.1 through 23.2.0 (inclusive) introduces an additional port on diego cells that allows application ingress without requiring a client certificate. This occurs when mTLS route integrity is enabled (rep.containers.proxy.require_and_verify_client_certificates) and unproxied port mappings are turned off (containers.proxy.enable_unproxied_port_mappings). Under these conditions, the application is still reachable via a non-mTLS port, bypassing the intended client certificate verification [1].

Exploitation

An attacker with network access to the diego cell can connect to the unproxied port without presenting a client certificate. The attacker does not need any authentication or prior access. The exploitation requires the specific configuration where mTLS route integrity is enabled and unproxied ports are disabled. If the platform is not configured this way, there is no impact because applications are already reachable via a non-mTLS port [1].

Impact

Successful exploitation allows an attacker to access an application that should only be reachable via mTLS, without presenting a client certificate. This can lead to unauthorized access to application data or functionality, potentially resulting in information disclosure or further compromise. The attacker gains the same level of access as any unauthenticated user to the application [1].

Mitigation

The Cloud Foundry project recommends upgrading to fixed versions: diego-release 2.69.1 or later, and cf-deployment 23.3.0 or later. No workaround is provided. Users of affected versions should upgrade immediately [1].