CVE-2017-4963: Session Fixation for UAA External Authentication
Severity
Low
Vendor
Cloud Foundry Foundation
Versions Affected
- Cloud Foundry release v252 and earlier versions
- UAA stand-alone release v2.0.0 – v2.7.4.12 & v3.0.0 – v3.11.0
- UAA bosh release v26 & earlier versions
Description
UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry v253 [1] or later
- For standalone UAA users:
- For users using standalone UAA Version 3.X.X, please upgrade to UAA Release to v3.6.7[2],v3.9.5[3] , or v3.12.0[4]
- For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.13 [5]
- For users using UAA bosh release, please upgrade to UAA-Release v13.11 [6] if upgrading to v3.6.7 [2] ,v24.2 [7] if upgrading to v3.9.5[3] or v27 [8] if upgrading to v3.12.0[8]
Credit
This issue was responsibly reported by the GE Digital Security Team.
References
- https://github.com/cloudfoundry/cf-release/releases/tag/v253
- https://github.com/cloudfoundry/uaa/releases/tag/3.6.7
- https://github.com/cloudfoundry/uaa/releases/tag/3.9.5
- https://github.com/cloudfoundry/uaa/releases/tag/3.12.0
- https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.13
- https://github.com/cloudfoundry/uaa-release/releases/tag/v13.11
- https://github.com/cloudfoundry/uaa-release/releases/tag/v24.2
- https://github.com/cloudfoundry/uaa-release/releases/tag/v27
History
2017-03-29: Initial vulnerability report published