CVE-2016-0732 Privilege Escalation

Severity

Critical

Vendor

Cloud Foundry Foundation

Versions Affected

• Cloud Foundry v208 through v229
• UAA v2.0.0 – v2.7.3 & v3.0.0
• UAA-Release v2 through v4

Description

A privilege elevation vulnerability has been identified with the identity zones feature of UAA. Users with the appropriate permissions in one zone can perform unauthorized operations on a different zone.

Mitigation

Users are strongly encouraged to follow one of the mitigations below:

• Upgrade to Cloud Foundry v230 [1] or later
• For standalone UAA users
  • For users using UAA Version 3.0.0, please upgrade to UAA Release to v3.0.1 [3] or later
  • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4 [2] or v3.0.1 [3]
  • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v5 [4]

Credit

Discovered by the GE Digital Security Team

References

• [1]
  https://github.com/cloudfoundry/cf-release/releases/tag/v230
• [2]
  https://github.com/cloudfoundry/uaa/releases/tag/2.7.4
• [3]
  https://github.com/cloudfoundry/uaa/releases/tag/3.0.1
• [4]
  https://github.com/cloudfoundry/uaa-release/releases/tag/v5

History

2016-Feb-2: Initial vulnerability report published on VMware.io

2017-Sep-8: Report published on cloudfoundry.org