CVE-2016-3084 UAA Password Reset Vulnerability


Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected
  • Cloud Foundry release v236 and earlier versions
  • UAA release v3.3.0 and earlier versions
  • All versions of Login-server
  • UAA release v10 and earlier versions
  • Pivotal Elastic Runtime versions prior to 1.7.2
Description

The UAA reset password flow is vulnerable to a brute force attack due to multiple active codes at a given time. This vulnerability is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Mitigation

Users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v237 [1] or later
  • For standalone UAA users
    • For users using UAA version 3.3.0 or prior, please upgrade to UAA Release to v3.3.0.1 [2] or later
    • For users using standalone login-server 1.X, please upgrade to UAA Release to v3.3.0.1 [2] or later
    • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v11 [3] or later
  • Upgrade Pivotal Elastic Runtime to version 1.7.2
Credit

GE Digital Inc.

References
History

2016-May-23: Initial vulnerability report published