The Open source devops platform Cloud Foundry has disclosed a vulnerability, tracked as CVE-2017-8032, that affects its User Account and Authentication server software. The flaw, rated by the organization as high-severity, could be exploited by zone administrators to escalate their privileges when mapping permissions for an external provider.
The User Account and Authentication is the Cloud Foundry ID management service that implements the OAuth2 authentication protocol.
“In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5, and other versions prior to v41, zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.” reads the description published by the Mitre.
The vulnerability affects the following versions of UAA and cf-release versions prior to v264:
The Cloud Foundry security advisory highlights that a foundation is vulnerable only if all of the following conditions are satisfied:
Cloud Foundry suggests making one of these conditions false to mitigate the threat.
Revising any of these settings serves as a mitigation ahead of implementing a patch, Cloud Foundry says.
The advisory includes the link to upgrade both Cloud Foundry users to version 264 or later and standalone UAA users that have to install the 3.x.x series.
(Security Affairs – Cloud Foundry, User Account and Authentication)