CVE-2016-8218 Unauthenticated JWT signing algorithm in routing


Severity

Critical

References
Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

  • Vulnerable cf-release versions listed here
  • PCF Elastic Runtime 1.8.x versions prior to 1.8.21
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry project recommends mitigations for OSS users here
  • Upgrade PCF Elastic Runtime 1.8.x versions to 1.8.21

Special Note for 1.7.x and 1.8.x Ops Manager Deployments

The 1.7.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x or 1.8.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.