CVE-2016-5016 UAA accepts expired certificates
|
Chip Childers <cchilders@...>
CVE-2016-5016 UAA accepts expired certificatesSeverity
High Vendor Cloud Foundry Foundation Versions Affected - Cloud Foundry release v239 and earlier versions - UAA release v3.4.1 and earlier versions - UAA release V12.2 and earlier versions Description UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted certificates. TrustManager does not by default check certificates for expiration. UAA was found to accept expired certificates. Mitigation Users are strongly encouraged to follow one of the mitigations below: - Upgrade to Cloud Foundry v240 [1] or later - For standalone UAA users - For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA Release to v3.3.0.3 [3] or v3.4.2 [4] - For users using standalone UAA Version 2.X.X, please upgrade to UAA Release to v2.7.4.6 [2] - For users using UAA-Release (UAA bosh release), please upgrade to UAA-Release v12.3 [5] if upgrading to v3.4.2 [4] or v11.3 [6] if upgrading to v3.3.0.3 [3] Credit Krolim <https://github.com/krolim> References [1] https://github.com/cloudfoundry/cf-release/releases/tag/v240 [2] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6 [3] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3 [4] https://github.com/cloudfoundry/uaa/releases/tag/3.4.2 [5] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3 [6] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3 History 2016-08-18: Initial vulnerability report published |
|
|