CVE-2016-4468 UAA SQL Injection
Severity
High
Vendor
Cloud Foundry Foundation
Versions Affected
- Cloud Foundry release v237 and earlier versions
- UAA release v3.4.0 and earlier versions
- UAA release V12 and earlier versions
- PCF Elastic Runtime all versions prior to 1.6.29 AND 1.7.x versions prior to 1.7.7
- PCF Ops Manager 1.7.x versions prior to 1.7.8
Description
There is the potential for a SQL injection attack in UAA for authenticated users.
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry v238 [1] or later
- For standalone UAA users
- For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA Release to v3.3.0.2 [3] or v3.4.1 [4]
- For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.4 [2]
- For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.2 [5] if upgrading to v3.4.1 [4] or v11.2 [6] if upgrading to v3.3.0.2 [3]
Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigation below:
- Upgrade PCF Elastic Runtime all versions to 1.6.29 or higher
- Upgrade PCF Elastic Runtime 1.7.x versions to 1.7.7 or higher
- Upgrade PCF Ops Manager 1.7.x versions to 1.7.8 or higher
Credit
Graham Viski, Digital Transformation Office, Australian Government
References
- [1] https://github.com/cloudfoundry/cf-release/releases/tag/v238
- [2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.4
- [3] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.2
- [4] https://github.com/cloudfoundry/uaa/releases/tag/3.4.1
- [5] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=12.2
- [6] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=11.2
History
2016-06-30: Initial vulnerability report published