CVE-2017-4963: Session Fixation for UAA External Authentication
Cloud Foundry Foundation
- Cloud Foundry release v252 and earlier versions
- UAA stand-alone release v2.0.0 – v184.108.40.206 & v3.0.0 – v3.11.0
- UAA bosh release v26 & earlier versions
UAA is vulnerable to session fixation when configured to authenticate against external SAML or OpenID Connect based identity providers.
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry v253  or later
- For standalone UAA users:
- For users using standalone UAA Version 3.X.X, please upgrade to UAA Release to v3.6.7,v3.9.5 , or v3.12.0
- For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v220.127.116.11 
- For users using UAA bosh release, please upgrade to UAA-Release v13.11  if upgrading to v3.6.7  ,v24.2  if upgrading to v3.9.5 or v27  if upgrading to v3.12.0
This issue was responsibly reported by the GE Digital Security Team.
2017-03-29: Initial vulnerability report published