Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

• Cloud Foundry release v239 and earlier versions
• UAA release v3.4.1 and earlier versions
• UAA release V12.2 and earlier versions

Description

UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted certificates. TrustManager does not by default check certificates for expiration. UAA was found to accept expired certificates.

Mitigation

Users of affected versions should apply the following mitigation:

• Upgrade to Cloud Foundry v240 [1] or later

For standalone UAA users:

• For users using UAA Version 3.0.0 – 3.4.0, please upgrade to UAA Release to v3.3.0.3 [3] or v3.4.2 [4]
• For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.6 [2]
• For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.3 [5] if upgrading to v3.4.2 [4] or v11.3 [6] if upgrading to v3.3.0.3 [3]

Credit

Krolim

References

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v240
[2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6
[3] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3
[4] https://github.com/cloudfoundry/uaa/releases/tag/3.4.2
[5] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3
[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3

History

2016-August-18: Initial vulnerability report published