Cloud Foundry has disclosed a privilege escalation flaw in User Account and Authentication software

Pierluigi Paganini July 11, 2017

The Open source devops platform Cloud Foundry fixed a bug that affects its User Account and Authentication server software.

The Open source devops platform Cloud Foundry has disclosed a vulnerability, tracked as CVE-2017-8032, that affects its User Account and Authentication server software. The flaw, rated by the organization as high-severity, could be exploited by zone administrators to escalate their privileges when mapping permissions for an external provider.

The User Account and Authentication is the Cloud Foundry ID management service that implements the  OAuth2 authentication protocol.

Cloud Foundry disclosed a privilege escalation flaw in UAA software

CVE-2017-8032 was patched in an update last week, and the detailed advisory landed June 12 here.

“In Cloud Foundry cf-release versions prior to v264; UAA release all versions of UAA v2.x.x, 3.6.x versions prior to v3.6.13, 3.9.x versions prior to v3.9.15, 3.20.x versions prior to v3.20.0, and other versions prior to v4.4.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.17, 24.x versions prior to v24.12. 30.x versions prior to 30.5, and other versions prior to v41, zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.” reads the description published by the Mitre.

The vulnerability affects the following versions of UAA and cf-release versions prior to v264:

  • UAA release:
    • All versions of UAA v2.x.x
    • 3.6.x versions prior to v3.6.13
    • 3.9.x versions prior to v3.9.15
    • 3.20.x versions prior to v3.20.0
    • Other versions prior to v4.4.0
  • UAA bosh release (uaa-release):
    • 13.x versions prior to v13.17
    • 24.x versions prior to v24.12
    • 30.x versions prior to 30.5
    • Other versions prior to v41

The Cloud Foundry security advisory highlights that a foundation is vulnerable only if all of the following conditions are satisfied:

  • You are using multiple zones in UAA
  • You are giving out admin privileges for managing external providers (LDAP/SAML/OIDC) and corresponding group mappings
  • You have enabled LDAP/SAML/OIDC providers and external group mappings

Cloud Foundry suggests making one of these conditions false to mitigate the threat.

Revising any of these settings serves as a mitigation ahead of implementing a patch, Cloud Foundry says.

The advisory includes the link to upgrade both Cloud Foundry users to version 264 or later and standalone UAA users that have to install the 3.x.x series.

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – Cloud Foundry, User Account and Authentication)

[adrotate banner=”13″]



you might also like

leave a comment