CVE-2017-4963 Session Fixation for UAA External Authentication


Severity

Low

References
Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • Vulnerable cf-release and UAA versions listed here.
  • PCF Elastic Runtime 1.9.x versions prior to 1.9.10
  • PCF Operations Manager 1.9.x versions prior to 1.9.6
Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade PCF Elastic Runtime 1.9.x versions to 1.9.10 or later
  • Upgrade PCF Ops Manager 1.9.x versions to 1.9.6 or later
  • Mitigations for vulnerable cf-release and UAA versions listed here.
Credit

This issue was responsibly reported by the GE Digital Security Team.