The Open source devops platform Cloud Foundry has disclosed a vulnerability, tracked as CVE-2017-8032, that affects its User Account and Authentication server software. The flaw, rated by the organization as high-severity, could be exploited by zone administrators to escalate their privileges when mapping permissions for an external provider.
The User Account and Authentication is the Cloud Foundry ID management service that implements the OAuth2 authentication protocol.
“In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5, and other versions prior to v41, zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.” reads the description published by the Mitre.
The vulnerability affects the following versions of UAA and cf-release versions prior to v264:
The Cloud Foundry security advisory highlights that a foundation is vulnerable only if all of the following conditions are satisfied:
Cloud Foundry suggests making one of these conditions false to mitigate the threat.
Revising any of these settings serves as a mitigation ahead of implementing a patch, Cloud Foundry says.
The advisory includes the link to upgrade both Cloud Foundry users to version 264 or later and standalone UAA users that have to install the 3.x.x series.
(Security Affairs – Cloud Foundry, User Account and Authentication)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.