CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals

Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected

• Cloud Foundry release v241 and earlier versions
• UAA release v2.0.0 – v2.7.4.6 & v3.0.0 – v3.6.0
• UAA bosh release v15 & earlier versions

Description

The profile and authorize approval pages do not contain CSRF tokens, making an exploit to approve or deny scopes possible.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

• Upgrade to Cloud Foundry v242 [1] or later

For standalone UAA users:

• For users using UAA Version 3.0.0 – 3.6.0, please upgrade to UAA Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
• For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.7 [5]
• For users using UAA bosh release, please upgrade to UAA-Release v16 [6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or v11.5 [8] if upgrading to v3.3.0.5[4]

Credit

GE Digital Security Team

References

• https://github.com/cloudfoundry/cf-release/releases/tag/v242
• https://github.com/cloudfoundry/uaa/releases/tag/3.7.0
• https://github.com/cloudfoundry/uaa/releases/tag/3.4.4
• https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.5
• https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.7
• https://github.com/cloudfoundry/uaa-release/releases/tag/v16
• https://github.com/cloudfoundry/uaa-release/releases/tag/v12.5
• https://github.com/cloudfoundry/uaa-release/releases/tag/v11.5

History

2016-09-26: Initial vulnerability report published