Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-8032: UAA Identity Zone Admin Privilege Escalation

CVE-2017-8032: UAA Identity Zone Admin Privilege Escalation

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • Please see additional information in the Mitigation section to determine if your foundation is affected.
  • cf-release versions prior to v264
  • UAA release:
    • All versions of UAA v2.x.x
    • 3.6.x versions prior to v3.6.13
    • 3.9.x versions prior to v3.9.15
    • 3.20.x versions prior to v3.20.0
    • Other versions prior to v4.4.0
  • UAA bosh release (uaa-release):
    • 13.x versions prior to v13.17
    • 24.x versions prior to v24.12
    • 30.x versions prior to 30.5
    • Other versions prior to v41

Description

Zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.

Mitigation

A foundation is affected by this issue only if all of the following are true. It is possible to mitigate this issue prior to upgrade by updating your UAA configuration to make any one of these statements false.

  • You are using multiple zones in UAA
  • You are giving out admin privileges for managing external providers (LDAP/SAML/OIDC) and corresponding group mappings
  • You have enabled LDAP/SAML/OIDC providers and external group mappings

Users of affected versions should apply the following mitigation or upgrade:

  • Upgrade to Cloud Foundry 264 [1] or later
  • For standalone UAA users:
    • For users using UAA Version 2.x.x, please upgrade to a fixed version of 3.x.x
    • For users using UAA Version 3.0.0 – 3.20.0, please upgrade to UAA Release to v3.20.0 [2] or v3.9.15 [3] or v3.6.13 [4]
    • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v30.5 [5] if upgrading to v3.20.0 [2] or v24.12 [6] if upgrading to v3.9.15 [3] and v13.17 [7] if upgrading to v3.6.13 [4]
    • For users using the latest version, please upgrade to v41 [8].

Credit

This vulnerability was responsibly reported by the Cloud Foundry UAA team.

References

 

History

2017-06-12: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES