CVE-2016-4468 UAA SQL Injection Severity

High
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v237 and earlier versions
-

UAA release v3.4.0 and earlier versions
-

UAA release V12 and earlier versions

Description

There is the potential for a SQL injection attack in UAA for authenticated
users.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:


-

Upgrade to Cloud Foundry v238 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA
Release to v3.3.0.2 [3] or v3.4.1 [4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.4 [2]
-

For users using UAA-Release (UAA bosh release), please upgrade to
UAA-Release v12.2 [5] if upgrading to v3.4.1 [4] or v11.2 [6] if
upgrading
to v3.3.0.2 [3]


Credit

Graham Viski, Digital Transformation Office, Australian Government
References

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v238

[2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.4

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.2

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.4.1

[5] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=12.2

[6] http://bosh.io/releases/github.com/cloudfoundry/uaa-release?version=11.2

History

2016-06-30: Initial vulnerability report published