CVE-2017-4994: Forwarded Headers in UAA


Severity

High

References
Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • PCF Elastic Runtime:
    • All 1.6.x versions
    • 1.7.x versions prior to 1.7.66
    • 1.8.x versions prior to 1.8.46
    • 1.9.x versions prior to 1.9.24
    • 1.10.x versions prior to 1.10.11
  • PCF Operations Manager:
    • All 1.7.x versions
    • 1.8.x versions prior to 1.8.23
    • 1.9.x versions prior to 1.9.14
    • 1.10.x versions prior to 1.10.9
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
  • Releases that have fixed this issue include:
    • PCF Elastic Runtime: 1.7.66, 1.8.46, 1.9.24, 1.10.11
    • PCF Operations Manager: 1.8.23, 1.9.14, 1.10.9
      • Note: a 1.7.x version fixing this issue is forthcoming.