Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

by: November 7, 2017

CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

Severity

Medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • cf-release
    • All versions prior to v279
  • UAA
    • 30.x versions prior to 30.6
    • 45.x versions prior to 45.4
    • 52.x versions prior to 52.1

Description

In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.

Mitigation

Users of affected versions should apply the following mitigations or upgrades.

  • Releases that have fixed this issue include:
    • cf-release: v279
    • UAA: 30.6, 45.4, 52.1

Credit

This issue was responsibly reported by the UAA team.

History

2017-11-07: Initial vulnerability report published.

2017-11-16: Added cf-release version info.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-3981-2: Linux kernel (HWE) vulnerabilities (AKA ZombieLoad Attack)
Security Advisory

USN-3981-2: Linux kernel (HWE) vulnerabilities (AKA ZombieLoad Attack)

by Cloud Foundry Foundation Security Team May 20, 2019
USN-2836-1 grub2 vulnerability
Security Advisory

USN-2836-1 grub2 vulnerability

by Cloud Foundry Foundation Security Team January 7, 2016
CVE-2019-3786: BBR could run arbitrary scripts on deployment VMs
Security Advisory

CVE-2019-3786: BBR could run arbitrary scripts on deployment VMs

by Cloud Foundry Foundation Security Team April 8, 2019
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept