Cloud FoundryCFOUNDRY:F2B4E517477A50CF07C4D295A6DE5D62CVE-2016-5016 UAA accepts expired certificates | Cloud Foundry
0.003 Low
EPSS
Percentile
66.4%
CVE-2016-5016 UAA accepts expired certificates
High
Vendor
Cloud Foundry Foundation
Versions Affected
- Cloud Foundry release v239 and earlier versions
- UAA release v3.4.1 and earlier versions
- UAA release V12.2 and earlier versions
Description
UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted certificates. TrustManager does not by default check certificates for expiration. UAA was found to accept expired certificates.
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade to Cloud Foundry v240 [1] or later
For standalone UAA users:
- For users using UAA Version 3.0.0 – 3.4.0, please upgrade to UAA Release to v3.3.0.3 [3] or v3.4.2 [4]
- For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.6 [2]
- For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.3 [5] if upgrading to v3.4.2 [4] or v11.3 [6] if upgrading to v3.3.0.3 [3]
Credit
Krolim
References
[1] <https://github.com/cloudfoundry/cf-release/releases/tag/v240>
[2] <https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6>
[3] <https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3>
[4] <https://github.com/cloudfoundry/uaa/releases/tag/3.4.2>
[5] <https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3>
[6] <https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3>
History
2016-August-18: Initial vulnerability report published
Related
