Severity
High
CVSS score: 8.3 (High) (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
CVSS score: 7.5 (High) (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N/RL:O)
Vendor
CloudFoundry Foundation
Versions Affected
*Severity is High unless otherwise noted.
UAA
- All versions prior to v78.13.0
Cf-deployment
- All versions prior to v56.2.0
Description
A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselves admin scopes. This affects every deployment that authenticates users against LDAP over StartTLS.
How to tell if your UAA installation is affected
You are vulnerable if both of the following conditions are met:
- Version: You are using a UAA version prior to v78.13.0.
- Configuration: You use LDAP with StartTLS (typically indicated by an ldap:// profile URL pointing to port 389 with TLS upgrade settings enabled).
How to tell if your UAA installation is NOT affected
You are not affected if your deployment meets any of the following criteria:
- Version: You are using UAA version v78.13.0 or greater.
- Protocol: You exclusively use LDAPS (ldaps:// typically on port 636).
- No Integration: You do not use LDAP for authentication at all (e.g., relying solely on SAML, OIDC, or internal UAA users).
Mitigation
Users of affected products are strongly encouraged to follow the mitigations below.
The Cloud Foundry project recommends upgrading the following releases:
UAA
– Upgrade UAA versions to v78.13.0 or greater
Cf-deployment
– Upgrade cf-deployment to v56.1.0 or greater
Credit
n/a
History
July 8th: Initial vulnerability report published.
