Cloud Foundry Logo

CVE-2019-3801: Java Projects using HTTP to fetch dependencies


Share

CVE-2019-3801: Java Projects using HTTP to fetch dependencies

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • CredHub
    • 2.1 versions prior to 2.1.3
    • 1.9 versions prior to 1.9.10
  • cf-deployment
    • All versions prior to v7.9.0
  • UAA Release (OSS)
    • All versions prior to v64.0

Description

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CredHub
    • Upgrade 2.1 versions to 2.1.3 or greater
    • Upgrade 1.9 versions to 1.9.10 or greater
  • cf-deployment
    • Upgrade All versions to v7.9.0 or greater
  • UAA Release (OSS)
    • Upgrade All versions to v64.0 or greater

History

2019-04-25: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES