CVE-2016-0732 Privilege EscalationSeverity

Critical
Vendor

Cloud Foundry Foundation
Versions Affected

Cloud Foundry v208 through v229

UAA v2.0.0 - v2.7.3 & v3.0.0

UAA-Release v2 through v4
Description

A vulnerability has been identified with the identity zones feature of UAA,
allowing elevation of privileges. Users with the appropriate permissions
in one zone can perform unauthorized operations on a different zone. Only
instances of UAA configured with multiple identity zones are vulnerable.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:


-

Upgrade to Cloud Foundry v230 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0, please upgrade to UAA Release to
v3.0.1 [3] or later
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4 [2] or v3.0.1 [3]
-

For users using UAA-Release (UAA bosh release), please upgrade to
UAA-Release v5 [4]

Credit

Discovered by the GE Digital Security Team
References

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v230

[2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.0.1

[4] https://github.com/cloudfoundry/uaa-release/releases/tag/v5

History

2016-Feb-2: Initial vulnerability report published