CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals | Cloud Foundry

2016-09-26T00:00:00
ID CFOUNDRY:2F7C558DB9BC04335E2E441E7B492A28
Type cloudfoundry
Reporter Cloud Foundry
Modified 2016-09-26T00:00:00

Description

CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals

Low

Vendor

Cloud Foundry Foundation

Versions Affected

  • Cloud Foundry release v241 and earlier versions
  • UAA release v2.0.0 – v2.7.4.6 & v3.0.0 – v3.6.0
  • UAA bosh release v15 & earlier versions

Description

The profile and authorize approval pages do not contain CSRF tokens, making an exploit to approve or deny scopes possible.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v242 [1] or later

For standalone UAA users:

  • For users using UAA Version 3.0.0 – 3.6.0, please upgrade to UAA Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
  • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.7 [5]
  • For users using UAA bosh release, please upgrade to UAA-Release v16 [6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or v11.5 [8] if upgrading to v3.3.0.5[4]

Credit

GE Digital Security Team

References

  • <https://github.com/cloudfoundry/cf-release/releases/tag/v242>
  • <https://github.com/cloudfoundry/uaa/releases/tag/3.7.0>
  • <https://github.com/cloudfoundry/uaa/releases/tag/3.4.4>
  • <https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.5>
  • <https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.7>
  • <https://github.com/cloudfoundry/uaa-release/releases/tag/v16>
  • <https://github.com/cloudfoundry/uaa-release/releases/tag/v12.5>
  • <https://github.com/cloudfoundry/uaa-release/releases/tag/v11.5>

History

2016-09-26: Initial vulnerability report published