Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-4960: UAA OAuth DOS via lockout feature

CVE-2017-4960: UAA OAuth DOS via lockout feature

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • Cloud Foundry release v247 – v252
  • UAA stand-alone release v3.9.0 –  v3.11.0
  • UAA Bosh Release v21 – v26

Description

There is a potential to subject the UAA OAuth clients to a denial of service attack.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v253 [1] or later
  • For users using UAA Version 3.9.0 – 3.11.0, please upgrade to UAA Release to v3.9.8 [2] or  v3.12.0 [3]
  • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v24.5[4] if upgrading to v3.9.8 [2] or v27 [5] if upgrading to v3.12.0 [3]

Credit

This issue was responsibly reported by the Cloud Foundry UAA Team.

References

History

2017-03-08: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES