CVE-2016-6651 Privilege Escalation in UAA
Severity
High
Vendor
Cloud Foundry Foundation
Versions Affected
- Cloud Foundry release v242 and earlier versions
- UAA release v3.7.0 & earlier versions
- UAA bosh release (uaa-release) v16 & earlier versions
- PCF Elastic Runtime versions prior to 1.6.40 and 1.7.x versions prior to 1.7.21 and 1.8.x versions prior to 1.8.1
- NOTE: Pivotal encourages upgrading 1.8.x versions to 1.8.2
- PCF Ops Manager 1.7.x versions prior 1.7.13 and 1.8.x versions prior to 1.8.1
Description
A privilege escalation vulnerability has been identified with the /oauth/token endpoint in UAA allowing users to elevate the privileges in the token issued.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry v243 [1] or later
- For standalone UAA users:
- For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]
- For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.8 [5]
- For users using UAA bosh release, please upgrade to UAA-Release v17 [6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or v11.7 [8] if upgrading to v3.3.0.6[4]
Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigations below:
- Upgrade Pivotal Elastic Runtime 1.6.40 OR 1.7.x versions to 1.7.21 AND 1.8.x versions to 1.8.2
- Upgrade Pivotal Ops Manager 1.7.x versions to 1.7.13 AND 1.8.x versions to 1.8.1
Credit
SAP HCP Security Team
References
- [1] https://github.com/cloudfoundry/cf-release/releases/tag/v243
- [2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.3
- [3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.5
- [4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.6
- [5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.8
- [6] https://github.com/cloudfoundry/uaa-release/releases/tag/v17
- [7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.6
- [8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.7
History
2016-09-26: Initial vulnerability report published