Cloud Foundry Logo
blog single gear
Security Advisory

Various CVEs: UAA consumes vulnerable versions of FasterXML jackson-databind

Severity

Critical

Vendor

Cloud Foundry Foundation

Description

Cloud Foundry UAA, versions prior to 74.7.0, contain a dependency on a vulnerable version of FasterXML jackson-databind. These issues have the CVEs CVE-2019-17531, CVE-2019-14379, CVE-2019-16942, CVE-2019-14540, CVE-2019-17267, CVE-2019-16335, and CVE-2019-16943.

Affected Cloud Foundry Products and Versions

  • CF Deployment
    • All versions prior to v12.7.0
  • UAA
    • All versions prior to v74.7.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CF Deployment
    • Upgrade All versions to v12.6.0 or greater
  • UAA
    • Upgrade All versions to v74.6.0 or greater

History

2019-11-06: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES