Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected

  • routing-release versions prior to 0.142.0
  • cf-release versions 203 to 231

Description

Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API.

Mitigation

OSS users of affected routing-release versions are strongly encouraged to:

  • Upgrade routing-release to 0.142.0 or later.

OSS users of cf-release versions 203 to 231 are strongly encouraged to:

  • Upgrade to the latest version of Cloud Foundry. As of this writing, the latest version is v249. [1]

Credit

The issue was responsibly reported by a VMware team member.

References

[1] https://github.com/cloudfoundry/cf-release/releases

History

2016-12-09: Initial vulnerability report published
2016-12-15: Vulnerable software versions updated

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES