CVE-2017-4960 UAA OAuth DOS via lockout feature


Severity

High

References
Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Vulnerable cf-release and UAA versions listed here
  • PCF Elastic Runtime 1.9.x versions prior to 1.9.10
  • PCF Operations Manager 1.9.x versions prior to 1.9.6
Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade PCF Elastic Runtime 1.9.x versions to 1.9.10 or later
  • Upgrade PCF Ops Manager 1.9.x versions to 1.9.6 or later
  • Mitigations for vulnerable cf-release and UAA versions listed here
Credit

This issue was responsibly reported by the Cloud Foundry UAA Team.