Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected

• Cloud Foundry release v236 and earlier versions
• UAA release v3.3.0 and earlier versions
• All versions of Login-server
• UAA release v10 and earlier versions

Description

The UAA reset password flow is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Mitigation

Users are strongly encouraged to follow one of the mitigations below:

• Upgrade to Cloud Foundry v237 [1] or later

For standalone UAA users:

• For users using UAA version 3.3.0 or prior, please upgrade to UAA Release to v3.3.0.1 [2] or later
• For users using standalone login-server 1.X, please upgrade to UAA Release to v3.3.0.1 [2] or later
• For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v11 [3] or later

Credit

GE Digital Inc.

References

• [1] https://github.com/cloudfoundry/cf-release/releases/tag/v237
• [2] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.1
• [3] https://github.com/cloudfoundry/uaa-release/releases/tag/v11

History

2016-May-23: Initial vulnerability report published