CVE-2018-1192: UAA SessionID present in Audit Event Logs


Share

CVE-2018-1192: UAA SessionID present in Audit Event Logs

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • All cf-release versions prior to v285
  • All cf-deployment versions prior to v1.7
  •  UAA
    • 4.5.x versions prior to 4.5.5
    • 4.8.x versions prior to 4.8.3
    • 4.7.x versions prior to 4.7.4
  • UAA-release
    • 45.7.x versions prior to 45.7
    • 52.7.x versions prior to 52.7
    • 53.3.x versions prior to 53.3

Description

Cloud Foundry UAA logs the SessionID in audit event logs. An attacker can use the SessionID to impersonate a logged-in user.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

  • Releases that have fixed this issue include:
    • cf-release: 285
    • cf-deployment: 1.7
    • UAA: 4.5.5, 4.8.3, 4.7.4
    • UAA-release: 45.7,52.7, 53.3

Credit

This issue was responsibly reported by the UAA team.

References

History

2018-01-31: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES