Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

• All cf-release versions prior to v285
• All cf-deployment versions prior to v1.7
• UAA
  • 4.5.x versions prior to 4.5.5
  • 4.8.x versions prior to 4.8.3
  • 4.7.x versions prior to 4.7.4
• UAA-release
  • 45.7.x versions prior to 45.7
  • 52.7.x versions prior to 52.7
  • 53.3.x versions prior to 53.3

Description

Cloud Foundry UAA logs the SessionID in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

• Releases that have fixed this issue include:
  • cf-release: 285
  • cf-deployment: 1.7
  • UAA: 4.5.5, 4.8.3, 4.7.4
  • UAA-release: 45.7,52.7, 53.3

Credit

This issue was responsibly reported by the UAA team.

References

• <https://github.com/cloudfoundry/cf-release/releases&gt;
• <https://github.com/cloudfoundry/cf-deployment/releases&gt;
• <https://github.com/cloudfoundry/uaa/releases&gt;
• <https://github.com/cloudfoundry/uaa-release/releases&gt;

History

2018-01-31: Initial vulnerability report published.