Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2019-3801: Java Projects using HTTP to fetch dependencies

by: April 25, 2019

CVE-2019-3801: Java Projects using HTTP to fetch dependencies

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • CredHub
    • 2.1 versions prior to 2.1.3
    • 1.9 versions prior to 1.9.10
  • cf-deployment
    • All versions prior to v7.9.0
  • UAA Release (OSS)
    • All versions prior to v64.0

Description

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CredHub
    • Upgrade 2.1 versions to 2.1.3 or greater
    • Upgrade 1.9 versions to 1.9.10 or greater
  • cf-deployment
    • Upgrade All versions to v7.9.0 or greater
  • UAA Release (OSS)
    • Upgrade All versions to v64.0 or greater

History

2019-04-25: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-4357-1: IPRoute vulnerability
Security Advisory

USN-4357-1: IPRoute vulnerability

by Cloud Foundry Foundation Security Team June 24, 2020
USN-6512-1: LibTIFF vulnerabilities
Security Advisory

USN-6512-1: LibTIFF vulnerabilities

by Cloud Foundry Foundation Security Team March 18, 2024
USN-3686-1: file vulnerabilities
Security Advisory

USN-3686-1: file vulnerabilities

by Cloud Foundry Foundation Security Team June 20, 2018
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept