CVE-2017-8032: UAA Identity Zone Admin Privilege Escalation
Severity
High
Vendor
Cloud Foundry Foundation
Versions Affected
- Please see additional information in the Mitigation section to determine if your foundation is affected.
- cf-release versions prior to v264
- UAA release:
- All versions of UAA v2.x.x
- 3.6.x versions prior to v3.6.13
- 3.9.x versions prior to v3.9.15
- 3.20.x versions prior to v3.20.0
- Other versions prior to v4.4.0
- UAA bosh release (uaa-release):
- 13.x versions prior to v13.17
- 24.x versions prior to v24.12
- 30.x versions prior to 30.5
- Other versions prior to v41
Description
Zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.
Mitigation
A foundation is affected by this issue only if all of the following are true. It is possible to mitigate this issue prior to upgrade by updating your UAA configuration to make any one of these statements false.
- You are using multiple zones in UAA
- You are giving out admin privileges for managing external providers (LDAP/SAML/OIDC) and corresponding group mappings
- You have enabled LDAP/SAML/OIDC providers and external group mappings
Users of affected versions should apply the following mitigation or upgrade:
- Upgrade to Cloud Foundry 264 [1] or later
- For standalone UAA users:
- For users using UAA Version 2.x.x, please upgrade to a fixed version of 3.x.x
- For users using UAA Version 3.0.0 – 3.20.0, please upgrade to UAA Release to v3.20.0 [2] or v3.9.15 [3] or v3.6.13 [4]
- For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v30.5 [5] if upgrading to v3.20.0 [2] or v24.12 [6] if upgrading to v3.9.15 [3] and v13.17 [7] if upgrading to v3.6.13 [4]
- For users using the latest version, please upgrade to v41 [8].
Credit
This vulnerability was responsibly reported by the Cloud Foundry UAA team.
References
- [1] https://github.com/cloudfoundry/cf-release/releases
- [2] https://github.com/cloudfoundry/uaa/releases/tag/3.20.0
- [3] https://github.com/cloudfoundry/uaa/releases/tag/3.9.15
- [4] https://github.com/cloudfoundry/uaa/releases/tag/3.6.13
- [5] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=30.5
- [6] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=24.12
- [7] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=13.17
- [8] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=41
History
2017-06-12: Initial vulnerability report published