CVE-2017-4963: Session Fixation for UAA External  Authentication

Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected

• Cloud Foundry release v252 and earlier versions
• UAA stand-alone release v2.0.0 – v2.7.4.12 & v3.0.0 – v3.11.0
• UAA bosh release v26 & earlier versions

Description

UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

• Upgrade to Cloud Foundry v253 [1] or later
• For standalone UAA users:
  • For users using standalone UAA Version 3.X.X, please upgrade to UAA Release to v3.6.7[2],v3.9.5[3] , or v3.12.0[4]
  • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.13 [5]
  • For users using UAA bosh release, please upgrade to UAA-Release v13.11 [6] if upgrading to v3.6.7 [2] ,v24.2 [7] if upgrading to v3.9.5[3] or v27 [8] if upgrading to v3.12.0[8]

Credit

This issue was responsibly reported by the GE Digital Security Team.

References

1. https://github.com/cloudfoundry/cf-release/releases/tag/v253
2. https://github.com/cloudfoundry/uaa/releases/tag/3.6.7
3. https://github.com/cloudfoundry/uaa/releases/tag/3.9.5
4. https://github.com/cloudfoundry/uaa/releases/tag/3.12.0
5. https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.13
6. https://github.com/cloudfoundry/uaa-release/releases/tag/v13.11
7. https://github.com/cloudfoundry/uaa-release/releases/tag/v24.2
8. https://github.com/cloudfoundry/uaa-release/releases/tag/v27

History

2017-03-29: Initial vulnerability report published