Re: CVE-2016-8218: Unauthenticated JWT signing algorithm in routing


Molly Crowther
 

After some discussion with Shannon, it appears that the affected release
versions in the initial notice were not correct. We have corrected the
version numbers in the notice on cloudfoundry.org.

The versions vulnerable to this exploit are:

- routing-release versions prior to 0.142.0
- cf-release versions 203 to 231


Please review and let us know if you have any questions. Apologies for the
confusion.

https://www.cloudfoundry.org/cve-2016-8218/

Thanks,
Molly Crowther
CFF Security Team

On Wed, Dec 14, 2016 at 11:14 AM, Shannon Coen <scoen(a)pivotal.io> wrote:

Additional clarification:

The Routing API component was included with cf-releases v203-231 during
early experimental development. These releases are quite old (v231 was
released a year ago) and we expect most operators have upgraded since then,
but if you have not you should do so now.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Sat, Dec 10, 2016 at 12:34 PM, Shannon Coen <scoen(a)pivotal.io> wrote:

Clarification:

The routing-api job is not deployed with cf-release. It is deployed with
the routing-release [1], which provides support for TCP routing to apps on
Diego. If you have not deployed the routing-release specifically, then
chances are you do not have the routing-api job deployed and no action is
required.

To confirm, look at your BOSH deployments.

$ bosh deployments

For those who have deployed the routing-release, we recommend upgrading
now to version 0.142.0 which contains a fix for the vulnerability:
https://github.com/cloudfoundry-incubator/routing-release/releases/tag/0.
142.0

[1] https://github.com/cloudfoundry-incubator/routing-release

Best,

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Fri, Dec 9, 2016 at 11:00 PM, Molly Crowther <
mcrowther(a)cloudfoundry.org> wrote:

A new cf-release has been cut to mitigate the following issue. This
notice can also be found at https://www.cloudfoundry.org/cve-2016-8218/.
An RSS feed of Cloud Foundry vulnerabilities is available at
https://www.cloudfoundry.org/category/security/feed/.


CVE-2016-8218: Unauthenticated JWT signing algorithm in routing
Severity

Critical
Vendor

Cloud Foundry Foundation
Versions Affected

-

cf-release versions prior to 237, if:
-

any versions of routing release have been uploaded, AND
-

the routing API is enabled through a manifest property on
cf-release
-

cf-release versions 237 and later, prior to v249

Description

Incomplete validation logic in JSON Web Token (JWT) libraries can
allow unprivileged attackers to impersonate other users to the routing API.
Mitigation

OSS users of affected versions are strongly encouraged to:

-

Upgrade to Cloud Foundry v249 [1] or later

Credit

The issue was responsibly reported by a Pivotal team member.
References

-

[1] https://github.com/cloudfoundry/cf-release/releases

History2016-12-09: Initial vulnerability report published

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.