CVE-2017-8034: JWT issuer validation in multiple CF components


Share

CVE-2017-8034: JWT issuer validation in multiple CF components

Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected

  • CAPI-release capi versions prior to v1.32.0
  • Routing-release versions prior to v0.159.0
  • CF-release versions prior to v267

Description

The Cloud Controller and Router in Cloud Foundry do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.

Mitigation

Users of affected versions should apply the following mitigation or upgrade:

  • Upgrade to Cloud Foundry v267 [1] or later
  • For standalone component users:
    • Upgrade to CAPI-release v1.32.0 [2] or later
    • Upgrade to Routing-release v0.159.0 [3] or later

Credit

This vulnerability was responsibly reported by the Cloud Foundry UAA team.

References

History

2017-07-13: Initial vulnerability report published

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES