Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected

• Cloud Foundry release v247 and earlier versions
• UAA release v3.9.2 & earlier versions
• UAA bosh release (uaa-release) v23 & earlier versions

Description

This security update resolves vulnerabilities in UAA. The most severe of the vulnerabilities could allow elevation of privilege if an attacker gains access to UAA logs and subsequently runs a specially crafted application that interacts with a configured SAML provider.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

• Upgrade to Cloud Foundry v248 [1] or later
• For standalone UAA users:
  • For users using UAA Version 3.0.0 – 3.9.2, please upgrade to UAA Release to v3.9.3[2] or v3.6.5[3]
  • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.12 [4]
  • For users using UAA bosh release, please upgrade to UAA-Release v24 [5] if upgrading to v3.9.3 [2] or v13.9 [6] if upgrading to v3.6.5[3]

Credit

• David King  –  Security Engineer, Government Digital Service
• Graham Bleach – Technical Architect, Government Digital Service
• Piotr Komborski – Engineer, Government Digital Service

References

• [1] https://github.com/cloudfoundry/cf-release/releases/tag/v248
• [2] https://github.com/cloudfoundry/uaa/releases/tag/3.9.3
• [3] https://github.com/cloudfoundry/uaa/releases/tag/3.6.5
• [4] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.12
• [5] https://github.com/cloudfoundry/uaa-release/releases/tag/v24
• [6] https://github.com/cloudfoundry/uaa-release/releases/tag/v13.9

History

2016-12-12: Initial vulnerability report published