Cloud Foundry Logo

CVE-2019-3801: Java Projects using HTTP to fetch dependencies


CVE-2019-3801: Java Projects using HTTP to fetch dependencies

Severity

High

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

  • CredHub
    • 2.1 versions prior to 2.1.3
    • 1.9 versions prior to 1.9.10
  • UAA Release (OSS)
    • All versions prior to v64.0

Description

Cloudfoundry java products are using an insecure protocol to fetch dependencies when building.

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:

  • CredHub
    • Upgrade 2.1 versions to 2.1.3
    • Upgrade 1.9 versions to 1.9.10
  • UAA Release (OSS)
    • Upgrade all versions to v64.0

History

2019-04-22: Initial vulnerability report published.

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES