Re: CVE-2016-8218: Unauthenticated JWT signing algorithm in routing

Molly Crowther

After some discussion with Shannon, it appears that the affected release
versions in the initial notice were not correct. We have corrected the
version numbers in the notice on

The versions vulnerable to this exploit are:

- routing-release versions prior to 0.142.0
- cf-release versions 203 to 231

Please review and let us know if you have any questions. Apologies for the

Molly Crowther
CFF Security Team

On Wed, Dec 14, 2016 at 11:14 AM, Shannon Coen <scoen(a)> wrote:

Additional clarification:

The Routing API component was included with cf-releases v203-231 during
early experimental development. These releases are quite old (v231 was
released a year ago) and we expect most operators have upgraded since then,
but if you have not you should do so now.

Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Sat, Dec 10, 2016 at 12:34 PM, Shannon Coen <scoen(a)> wrote:


The routing-api job is not deployed with cf-release. It is deployed with
the routing-release [1], which provides support for TCP routing to apps on
Diego. If you have not deployed the routing-release specifically, then
chances are you do not have the routing-api job deployed and no action is

To confirm, look at your BOSH deployments.

$ bosh deployments

For those who have deployed the routing-release, we recommend upgrading
now to version 0.142.0 which contains a fix for the vulnerability:



Shannon Coen
Product Manager, Cloud Foundry
Pivotal, Inc.

On Fri, Dec 9, 2016 at 11:00 PM, Molly Crowther <
mcrowther(a)> wrote:

A new cf-release has been cut to mitigate the following issue. This
notice can also be found at
An RSS feed of Cloud Foundry vulnerabilities is available at

CVE-2016-8218: Unauthenticated JWT signing algorithm in routing


Cloud Foundry Foundation
Versions Affected


cf-release versions prior to 237, if:

any versions of routing release have been uploaded, AND

the routing API is enabled through a manifest property on

cf-release versions 237 and later, prior to v249


Incomplete validation logic in JSON Web Token (JWT) libraries can
allow unprivileged attackers to impersonate other users to the routing API.

OSS users of affected versions are strongly encouraged to:


Upgrade to Cloud Foundry v249 [1] or later


The issue was responsibly reported by a Pivotal team member.



History2016-12-09: Initial vulnerability report published

Join to automatically receive all group messages.