CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals


Severity

Low

Vendor

Cloud Foundry Foundation

Versions Affected
  • Cloud Foundry release v241 and earlier versions
  • UAA release v2.0.0 - v2.7.4.6 & v3.0.0 - v3.6.0
  • UAA bosh release v15 & earlier versions
  • PCF Elastic Runtime versions prior to 1.6.40 and 1.7.x versions prior to 1.7.21 and 1.8.x versions prior to 1.8.1
    • NOTE: Pivotal encourages upgrading 1.8.x versions to 1.8.2
  • PCF Ops Manager 1.7.x versions prior 1.7.13 and 1.8.x versions prior to 1.8.1
Description

The profile and authorize approval pages do not contain CSRF tokens, making an exploit to approve or deny scopes possible.

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v242 [1] or later
  • For standalone UAA users:
    • For users using UAA Version 3.0.0 - 3.6.0, please upgrade to UAA Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
    • For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.7 [5]
    • For users using UAA bosh release, please upgrade to UAA-Release v16 [6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or v11.5 [8] if upgrading to v3.3.0.5[4]

Pivotal Cloud Foundry users of affected versions are encouraged to follow the mitigations below:

  • Upgrade Pivotal Elastic Runtime 1.6.40 OR 1.7.x versions to 1.7.21 AND 1.8.x versions to 1.8.2
  • Upgrade Pivotal Ops Manager 1.7.x versions to 1.7.13 AND 1.8.x versions to 1.8.1

Credit

GE Digital Security Team

References
History

2016-09-26: Initial vulnerability report published