Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-4994: Forwarded Headers in UAA

CVE-2017-4994: Forwarded Headers in UAA




Cloud Foundry Foundation

Versions Affected

  • cf-release versions prior to v263
  • UAA release:
    • 2.x versions prior to v2.7.4.18
    • 3.6.x versions prior to v3.6.12
    • 3.9.x versions prior to v3.9.14
    • Other versions prior to v4.3.0
  • UAA bosh release (uaa-release):
    • 13.x versions prior to v13.16
    • 24.x versions prior to v24.11
    • 30.x versions prior to 30.4
    • Other versions prior to v40


This update resolves an issue with forwarded http headers in UAA which can result in account corruption.


Users of affected versions should apply the following mitigation or upgrade:

  • Upgrade to Cloud Foundry v263 [1] or later
  • For standalone UAA users:
    • For users using UAA Version 3.0.0 – 3.18.0, please upgrade to UAA Release to v3.19.0 [2] or v3.9.14 [3] or v3.6.12 [4]
    • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.18 [5]
    • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v30.4 [6] if upgrading to v3.19.0 [2] or v24.11 [7] if upgrading to v3.9.14 [3] and v13.16 [8] if upgrading to v3.6.12 [4]
    • For users using the latest version, please upgrade to v40 [9].


This vulnerability was responsibly reported by the GE Digital Security Team.




2017-06-06: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR