Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

CVE-2017-8031: UAA Denial of Service through client token revocation endpoint

Severity

Medium

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • cf-release
    • All versions prior to v279
  • UAA
    • 30.x versions prior to 30.6
    • 45.x versions prior to 45.4
    • 52.x versions prior to 52.1

Description

In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.

Mitigation

Users of affected versions should apply the following mitigations or upgrades.

  • Releases that have fixed this issue include:
    • cf-release: v279
    • UAA: 30.6, 45.4, 52.1

Credit

This issue was responsibly reported by the UAA team.

History

2017-11-07: Initial vulnerability report published.

2017-11-16: Added cf-release version info.

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES