Pivotal Cloud Foundry Security Overview and Policy
This document outlines our security policy and is addressed to operators deploying Pivotal Cloud Foundry (PCF) using Pivotal Cloud Foundry Operations Manager.
For a comprehensive overview of the security architecture of each PCF component, refer to the Cloud Foundry Security topic.
Pivotal receives private reports on vulnerabilities from customers and from field personnel via our secure disclosure process. We also monitor public repositories of software security vulnerabilities to identify newly discovered vulnerabilities that might affect one or more of our products.
Pivotal encourages users who become aware of a security vulnerability in our products to contact Pivotal with details of the vulnerability. Please send descriptions of any vulnerabilities found to email@example.com. Please include details on the software and hardware configuration of your system so that we can reproduce the issue.
Note: We encourage use of encrypted email. Our public PGP key is located at http://www.pivotal.io/security.
PCF has many customer stakeholders who need to know about security updates. When there is a possible security vulnerability identified for a PCF component, we do the following:
- Assess the impact to PCF.
- If the vulnerability would affect a PCF component, we schedule an update for the impacted component(s).
- Update the affected component(s) and perform system tests.
- Announce the fix publicly via the following channels:
Attackers can exploit vulnerabilities to compromise user data and processing resources. This can affect data confidentiality, integrity, and availability to different degrees. For vulnerabilities related to Ubuntu provided packages, Pivotal follows Canonical’s priority levels. For other vulnerabilities, Pivotal follows Common Vulnerability Scoring System v3.0 standards when assessing severity.
Pivotal uses Canonical’s Ubuntu distribution of Linux for PCF Ubuntu stemcells and rootfs. Canonical provides Pivotal with support services allowing us to escalate CVEs that we determine may affect PCF. In general, Pivotal does not escalate to upstream open source software components or vendors for Medium or Low CVEs that are not yet patched. PCF may escalate on behalf of a customer for High or Critical CVEs. PCF customers who are interested in addressing CVEs in Ubuntu that are not yet patched can establish their own support relationship with Canonical.
Pivotal reports the severity of vulnerabilities using the following severity classes:
High severity vulnerabilities are those that can be exploited by an unauthenticated or authenticated attacker, from the Internet or those that break the guest/host Operating System isolation. The exploitation could result in the complete compromise of confidentiality, integrity, and availability of user data and/or processing resources without user interaction. Exploitation could be leveraged to propagate an Internet worm or execute arbitrary code between Virtual Machines and/or the Host Operating System. This rating also applies to those vulnerabilities that could lead to the complete compromise of availability when the exploitation is by a remote unauthenticated attacker from the Internet or through a breach of virtual machine isolation.
Moderate vulnerabilities are those in which the ability to exploit is mitigated to a significant degree by configuration or difficulty of exploitation, but in certain deployment scenarios could still lead to the compromise of confidentiality, integrity, or availability of user data and/or processing resources.
Low vulnerabilities are all other issues that have a security impact. These include vulnerabilities for which exploitation is believed to be extremely difficult, or for which successful exploitation would have minimal impact.
PCF schedules regular monthly releases of software in the PCF Suite to address Low / Medium severity vulnerability exploits. When High severity vulnerability exploits are identified, PCF releases fixes to software in the PCF Suite on-demand, with as fast a turnaround as possible.