Find out how we can help your digital transformation. Contact us to learn more.
CVE-2016-3084 UAA Password Reset Vulnerability
Cloud Foundry Foundation
- Cloud Foundry release v236 and earlier versions
- UAA release v3.3.0 and earlier versions
- All versions of Login-server
- UAA release v10 and earlier versions
- Pivotal Elastic Runtime versions prior to 1.7.2
The UAA reset password flow is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.
Users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry v237  or later
- For standalone UAA users
- For users using UAA version 3.3.0 or prior, please upgrade to UAA Release to v126.96.36.199  or later
- For users using standalone login-server 1.X, please upgrade to UAA Release to v188.8.131.52  or later
- For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v11  or later
- Upgrade Pivotal Elastic Runtime to version 1.7.2
GE Digital Inc.
-  https://github.com/cloudfoundry/cf-release/releases/tag/v237
-  https://github.com/cloudfoundry/uaa/releases/tag/184.108.40.206
-  https://github.com/cloudfoundry/uaa-release/releases/tag/v11
2016-May-23: Initial vulnerability report published