CVE-2016-5016 UAA accepts expired certificates


Severity

High

Vendor

Cloud Foundry Foundation

Versions Affected
  • Cloud Foundry release v239 and earlier versions
  • UAA release v3.4.1 and earlier versions
  • UAA release V12.2 and earlier versions
  • PCF Elastic Runtime 1.6.x versions prior to 1.6.35
  • PCF Elastic Runtime 1.7.x versions prior to 1.7.13
Description

UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted certificates. TrustManager does not by default check certificates for expiration. UAA was found to accept expired certificates.

Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to Cloud Foundry v240 [1] or later
  • For standalone UAA users
    • For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA Release to v3.3.0.3 [3] or v3.4.2 [4]
    • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.6 [2]
    • For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.3 [5] if upgrading to v3.4.2 [4] or v11.3 [6] if upgrading to v3.3.0.3 [3]

Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigation below:

  • Upgrade PCF Elastic Runtime 1.6.x versions to 1.6.35
  • Upgrade PCF Elastic Runtime 1.7.x versions to 1.7.14
    • While this issue was fixed in 1.7.13, due to an issue with auto-scaling it is recommended to upgrade to 1.7.14.

Credit

Krolim

References
History

2016-August-18: Initial vulnerability report published