CVE-2017-4959 Pivotal Cloud Foundry account authorization vulnerability

Severity

Critical

Vendor

Pivotal

Description

Pivotal Cloud Foundry deployments using the Pivotal Account application are vulnerable to a flaw which allows an authorized user to take over the account of another user, causing account lockout and potential escalation of privileges.

Affected Pivotal Products and Versions

Severity is critical unless otherwise noted.

PCF Elastic Runtime:
- 1.8.x versions prior to 1.8.29
- 1.9.x versions prior to 1.9.7
- Note: 1.6.x, 1.7.x, and earlier versions are not affected.

Mitigation

Users of affected versions should apply the following mitigation:

Upgrade PCF Elastic Runtime:
- 1.8.x versions to 1.8.29
- 1.9.x versions to 1.9.7
- Note: 1.6.x, 1.7.x, and earlier versions are not affected.

Important: To correctly mitigate this issue, the Push Pivotal Account errand must be checked in Post-Deploy Errands before upgrade. If you have already upgraded without running the errand, please contact Pivotal Support at https://support.pivotal.io/.

Credit

This vulnerability was responsibly reported by Andrew Cantino, Pivotal.

References

https://network.pivotal.io/products/elastic-runtime/

History

2017-02-14: Initial vulnerability report published

2017-02-15: Credit and note about upgrade errands added