CVE-2017-4991: UAA password reset vulnerability
Severity
High
References
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- PCF Elastic Runtime:
- 1.6.x version prior to 1.6.79
- 1.7.x versions prior to 1.7.64
- 1.8.x versions prior to 1.8.44
- 1.9.x versions prior to 1.9.22
- 1.10.x versions prior to 1.10.9
- PCF Operations Manager:
- 1.7.x versions prior to 1.7.29
- 1.8.x versions prior to 1.8.21
- 1.9.x versions prior to 1.9.12
- 1.10.x versions prior to 1.10.7
- Note: Ops Manager 1.6.x and lower versions are not affected by this issue
Mitigation
Users of affected versions should apply the following mitigation or upgrade:
- The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
- Releases that have fixed this issue include:
- PCF Elastic Runtime: 1.6.79, 1.7.64, 1.8.44, 1.9.22, 1.10.9
- PCF Ops Manager: 1.7.29, 1.8.21, 1.9.12, 1.10.7