CVE-2017-8034: JWT issuer validation in multiple CF components
Cloud Foundry Foundation
- CAPI-release capi versions prior to v1.32.0
- Routing-release versions prior to v0.159.0
- CF-release versions prior to v267
The Cloud Controller and Router in Cloud Foundry do not validate the issuer on JSON Web Tokens (JWTs) from UAA. With certain multi-zone UAA configurations, zone administrators are able to escalate their privileges.
Users of affected versions should apply the following mitigation or upgrade:
- Upgrade to Cloud Foundry v267  or later
- For standalone component users:
- Upgrade to CAPI-release v1.32.0  or later
- Upgrade to Routing-release v0.159.0  or later
This vulnerability was responsibly reported by the Cloud Foundry UAA team.
-  https://github.com/cloudfoundry/cf-release/releases
-  https://github.com/cloudfoundry/capi-release/releases
-  https://github.com/cloudfoundry-incubator/routing-release/releases
2017-07-13: Initial vulnerability report published