CVE-2016-8218: Unauthenticated JWT signing algorithm in routing - Cloud Foundry

2016-12-09T00:00:00
ID CFOUNDRY:BEE37EB18E513B96A1D2ACCCF6CAC8A1
Type cloudfoundry
Reporter Cloud Foundry
Modified 2016-12-09T00:00:00

Description

CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

Critical

Vendor

Cloud Foundry Foundation

Versions Affected

  • routing-release versions prior to 0.142.0
  • cf-release versions 203 to 231

Description

Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API.

Mitigation

OSS users of affected routing-release versions are strongly encouraged to:

  • Upgrade routing-release to 0.142.0 or later.

OSS users of cf-release versions 203 to 231 are strongly encouraged to:

  • Upgrade to the latest version of Cloud Foundry. As of this writing, the latest version is v249. [1]

Credit

The issue was responsibly reported by a Pivotal team member.

References

[1] <https://github.com/cloudfoundry/cf-release/releases>

History

2016-12-09: Initial vulnerability report published
2016-12-15: Vulnerable software versions updated