CVE-2017-4960: UAA OAuth DOS via lockout feature

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

• Cloud Foundry release v247 – v252
• UAA stand-alone release v3.9.0 –  v3.11.0
• UAA Bosh Release v21 – v26

Description

There is a potential to subject the UAA OAuth clients to a denial of service attack.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

• Upgrade to Cloud Foundry v253 [1] or later
• For users using UAA Version 3.9.0 – 3.11.0, please upgrade to UAA Release to v3.9.8 [2] or  v3.12.0 [3]
• For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v24.5[4] if upgrading to v3.9.8 [2] or v27 [5] if upgrading to v3.12.0 [3]

Credit

This issue was responsibly reported by the Cloud Foundry UAA Team.

References

• [1] https://github.com/cloudfoundry/cf-release/releases/tag/v253
• [2] https://github.com/cloudfoundry/uaa/releases/tag/3.9.8
• [3] https://github.com/cloudfoundry/uaa/releases/tag/3.12.0
• [4] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=24.5
• [5] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=27

History

2017-03-08: Initial vulnerability report published