Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2016-4468 UAA SQL Injection

 

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • Cloud Foundry release v237 and earlier versions
  • UAA release v3.4.0 and earlier versions
  • UAA release V12 and earlier versions

Description

There is the potential for a SQL injection attack in UAA for authenticated users.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v238 [1] or later

For standalone UAA users

  • For users using UAA Version 3.0.0 – 3.4.0, please upgrade to UAA Release to v3.3.0.2 [3] or v3.4.1 [4]
  • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.4 [2]
  • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.2 [5] if upgrading to v3.4.1 [4] or v11.2 [6] if upgrading to v3.3.0.2 [3]

Credit

Graham Viski, Digital Transformation Office, Australian Government

References

History

2016-06-30: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES