CVE-2017-4994: Forwarded Headers in UAA
Affected Pivotal Products and Versions
Severity is high unless otherwise noted.
- PCF Elastic Runtime:
- All 1.6.x versions
- 1.7.x versions prior to 1.7.66
- 1.8.x versions prior to 1.8.46
- 1.9.x versions prior to 1.9.24
- 1.10.x versions prior to 1.10.11
- PCF Operations Manager:
- All 1.7.x versions
- 1.8.x versions prior to 1.8.23
- 1.9.x versions prior to 1.9.14
- 1.10.x versions prior to 1.10.9
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
- Releases that have fixed this issue include:
- PCF Elastic Runtime: 1.7.66, 1.8.46, 1.9.24, 1.10.11
- PCF Operations Manager: 1.8.23, 1.9.14, 1.10.9
- Note: a 1.7.x version fixing this issue is forthcoming.