CVE-2015-5170-5173 UAA Vulnerabilities


Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected
  • cf-release versions v215 & prior
  • UAA versions 2.5.1 & prior
  • Pivotal Cloud Foundry 1.6.x and prior
Description

CSRF Attack on PWS. It is possible to log the user into another account instead of the account they intended to log into because of the lack of CSRF checks. (CVE-2015-5170)

Password change does not expire existing sessions. After a password reset link is requested and a user's password is then changed, not all existing sessions are logged out automatically. Logging in with the new password doesn't invalidate the older session either. Deployments enabled for integration via SAML or LDAP are not affected. (CVE-2015-5171)

Password Reset Link not expiring. Old password reset links working even after a password change. Deployments enabled for integration via SAML or LDAP are not affected. (CVE-2015-5172)

Cross Domain Referer Leakage. When the user gets an email with password recovery link, which includes reset password token. The user clicks this link and is expected to enter a new password twice. cross-domain referer leakage takes place. Deployments enabled for integration via SAML or LDAP are not affected. (CVE-2015-5173)

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • All versions of Cloud Foundry Runtime cf-release prior to v216
  • All versions of UAA Standalone prior to 2.5.2
  • All versions Pivotal Cloud Foundry Elastic Runtime prior to 1.7.0
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends that Cloud Foundry Runtime Deployments running Release v215 or earlier upgrade to v217 or later
  • The Cloud Foundry project recommends that Cloud Foundry UAA standalone deployments running Release 2.5.1 or earlier upgrade to Release 2.5.2 or later
  • Upgrade all Pivotal Cloud Foundry Runtime versions to 1.7.0 or later
Credit

CVE-2015-5170: This issue was identified by Jay Patel and reported responsibly to the Pivotal Security Team.

CVE-2015-5171 and CVE-2015-5172 and CVE-2015-5173: These issues were identified by external security researchers and reported responsibly to the Pivotal Security Team.