CVE-2017-4994: Forwarded Headers in UAA

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

• cf-release versions prior to v263
• UAA release:
  • 2.x versions prior to v2.7.4.18
  • 3.6.x versions prior to v3.6.12
  • 3.9.x versions prior to v3.9.14
  • Other versions prior to v4.3.0
• UAA bosh release (uaa-release):
  • 13.x versions prior to v13.16
  • 24.x versions prior to v24.11
  • 30.x versions prior to 30.4
  • Other versions prior to v40

Description

This update resolves an issue with forwarded http headers in UAA which can result in account corruption.

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

• Upgrade to Cloud Foundry v263 [1] or later
• For standalone UAA users:
  • For users using UAA Version 3.0.0 – 3.18.0, please upgrade to UAA Release to v3.19.0 [2] or v3.9.14 [3] or v3.6.12 [4]
  • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.18 [5]
  • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v30.4 [6] if upgrading to v3.19.0 [2] or v24.11 [7] if upgrading to v3.9.14 [3] and v13.16 [8] if upgrading to v3.6.12 [4]
  • For users using the latest version, please upgrade to v40 [9].

Credit

This vulnerability was responsibly reported by the GE Digital Security Team.

References

• [1] https://github.com/cloudfoundry/cf-release/releases
• [2] https://github.com/cloudfoundry/uaa/releases/tag/3.19.0
• [3] https://github.com/cloudfoundry/uaa/releases/tag/3.9.14
• [4] https://github.com/cloudfoundry/uaa/releases/tag/3.6.12
• [5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.18
• [6] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=30.4
• [7] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=24.11
• [8] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=13.16
• [9] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=40

 

History

2017-06-06: Initial vulnerability report published