Cloud Foundry Logo
blog single gear
Blog
Security Advisory

CVE-2019-3801: Java Projects using HTTP to fetch dependencies

by: April 25, 2019

CVE-2019-3801: Java Projects using HTTP to fetch dependencies

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • CredHub
    • 2.1 versions prior to 2.1.3
    • 1.9 versions prior to 1.9.10
  • cf-deployment
    • All versions prior to v7.9.0
  • UAA Release (OSS)
    • All versions prior to v64.0

Description

Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java components that are using an insecure protocol to fetch dependencies when building. A remote unauthenticated malicious attacker could hijack the DNS entry for the dependency, and inject malicious code into the component.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CredHub
    • Upgrade 2.1 versions to 2.1.3 or greater
    • Upgrade 1.9 versions to 1.9.10 or greater
  • cf-deployment
    • Upgrade All versions to v7.9.0 or greater
  • UAA Release (OSS)
    • Upgrade All versions to v64.0 or greater

History

2019-04-25: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-2836-1 grub2 vulnerability
Security Advisory

USN-2836-1 grub2 vulnerability

by Cloud Foundry Foundation Security Team January 7, 2016
USN-5412-1: curl vulnerabilities
Security Advisory

USN-5412-1: curl vulnerabilities

by Cloud Foundry Foundation Security Team December 7, 2022
USN-4172-1: file vulnerability
Security Advisory

USN-4172-1: file vulnerability

by Cloud Foundry Foundation Security Team November 18, 2019
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept