CVE-2016-0781 UAA Password Reset VulnerabilitySeverity

Low
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v236 and earlier versions
-

UAA release v3.3.0 and earlier versions
-

All versions of Login-server
-

UAA release v10 and earlier versions

Description

The UAA reset password flow is vulnerable to a brute force attack due to
multiple active codes at a given time. This vulnerability is applicable
only when using the UAA internal user store for authentication. Deployments
enabled for integration via SAML or LDAP are not affected.
Mitigation

Users are strongly encouraged to follow one of the mitigations below:


-

Upgrade to Cloud Foundry v237 [1] or later
-

For standalone UAA users
-

For users using UAA version 3.3.0 or prior, please upgrade to UAA
Release to v3.3.0.1 [2] or later
-

For users using standalone login-server 1.X, please upgrade to UAA
Release to v3.3.0.1 [2] or later
-

For users using UAA-Release (UAA bosh release), please upgrade to
UAA-Release v11 [3] or later


Credit

GE Digital Inc.
References

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v237

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.1

[3] https://github.com/cloudfoundry/uaa-release/releases/tag/v11
History

2016-Mar-23: Initial vulnerability report published