Re: CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

Home Messages Hashtags Subgroups

#6186

Re: CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

Molly Crowther #6186 After some discussion with Shannon, it appears that the affected release versions in the initial notice were not correct. We have corrected the version numbers in the notice on cloudfoundry.org. The versions vulnerable to this exploit are: - routing-release versions prior to 0.142.0 - cf-release versions 203 to 231 Please review and let us know if you have any questions. Apologies for the confusion. https://www.cloudfoundry.org/cve-2016-8218/ Thanks, Molly Crowther CFF Security Team toggle quoted messageShow quoted text On Wed, Dec 14, 2016 at 11:14 AM, Shannon Coen <scoen(a)pivotal.io> wrote: Additional clarification: The Routing API component was included with cf-releases v203-231 during early experimental development. These releases are quite old (v231 was released a year ago) and we expect most operators have upgraded since then, but if you have not you should do so now. Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Sat, Dec 10, 2016 at 12:34 PM, Shannon Coen <scoen(a)pivotal.io> wrote: Clarification: The routing-api job is not deployed with cf-release. It is deployed with the routing-release [1], which provides support for TCP routing to apps on Diego. If you have not deployed the routing-release specifically, then chances are you do not have the routing-api job deployed and no action is required. To confirm, look at your BOSH deployments. $ bosh deployments For those who have deployed the routing-release, we recommend upgrading now to version 0.142.0 which contains a fix for the vulnerability: https://github.com/cloudfoundry-incubator/routing-release/releases/tag/0. 142.0 [1] https://github.com/cloudfoundry-incubator/routing-release Best, Shannon Coen Product Manager, Cloud Foundry Pivotal, Inc. On Fri, Dec 9, 2016 at 11:00 PM, Molly Crowther < mcrowther(a)cloudfoundry.org> wrote: A new cf-release has been cut to mitigate the following issue. This notice can also be found at https://www.cloudfoundry.org/cve-2016-8218/. An RSS feed of Cloud Foundry vulnerabilities is available at https://www.cloudfoundry.org/category/security/feed/. CVE-2016-8218: Unauthenticated JWT signing algorithm in routing Severity Critical Vendor Cloud Foundry Foundation Versions Affected - cf-release versions prior to 237, if: - any versions of routing release have been uploaded, AND - the routing API is enabled through a manifest property on cf-release - cf-release versions 237 and later, prior to v249 Description Incomplete validation logic in JSON Web Token (JWT) libraries can allow unprivileged attackers to impersonate other users to the routing API. Mitigation OSS users of affected versions are strongly encouraged to: - Upgrade to Cloud Foundry v249 [1] or later Credit The issue was responsibly reported by a Pivotal team member. References - [1] https://github.com/cloudfoundry/cf-release/releases History2016-12-09: Initial vulnerability report published attachment.html
More All Messages By This Member

View All 4 Messages In Topic

#6186

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms