CVE-2016-5016 UAA accepts expired certificates

Chip Childers <cchilders@...>

CVE-2016-5016 UAA accepts expired certificatesSeverity


Cloud Foundry Foundation
Versions Affected


Cloud Foundry release v239 and earlier versions

UAA release v3.4.1 and earlier versions

UAA release V12.2 and earlier versions


UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted
certificates. TrustManager does not by default check certificates for
expiration. UAA was found to accept expired certificates.

Users are strongly encouraged to follow one of the mitigations below:


Upgrade to Cloud Foundry v240 [1] or later

For standalone UAA users


For users using UAA Version 3.0.0 - 3.4.0, please upgrade to UAA Release
to v3.3.0.3 [3] or v3.4.2 [4]

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.6 [2]

For users using UAA-Release (UAA bosh release), please upgrade to
UAA-Release v12.3 [5] if upgrading to v3.4.2 [4] or v11.3 [6] if upgrading
to v3.3.0.3 [3]


Krolim <>







2016-08-18: Initial vulnerability report published

Join { to automatically receive all group messages.