CVE-2017-8034: JWT issuer validation in multiple CF components

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

• CAPI-release capi versions prior to v1.32.0
• Routing-release versions prior to v0.159.0
• CF-release versions prior to v267

Description

The Cloud Controller and Router in Cloud Foundry do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

• Upgrade to Cloud Foundry v267 [1] or later
• For standalone component users:
  • Upgrade to CAPI-release v1.32.0 [2] or later
  • Upgrade to Routing-release v0.159.0 [3] or later

Credit

This vulnerability was responsibly reported by the Cloud Foundry UAA team.

References

• [1] https://github.com/cloudfoundry/cf-release/releases
• [2] https://github.com/cloudfoundry/capi-release/releases
• [3] https://github.com/cloudfoundry-incubator/routing-release/releases  

History

2017-07-13: Initial vulnerability report published