CVE-2016-6637 UAA CSRF Vulnerability for OAuth Approvals
Severity

Low
Vendor

Cloud Foundry Foundation
Versions Affected

-

Cloud Foundry release v241 and earlier versions
-

UAA release v2.0.0 - v2.7.4.6 & v3.0.0 - v3.6.0
-

UAA bosh release v15 & earlier versions

Description

The profile and authorize approval pages do not contain CSRF tokens, making
an exploit to approve or deny scopes possible.
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

-

Upgrade to Cloud Foundry v242 [1] or later
-

For standalone UAA users
-

For users using UAA Version 3.0.0 - 3.6.0, please upgrade to UAA
Release to v3.7.0[2], v3.4.4[3] or v3.3.0.5[4]
-

For users using standalone UAA Version 2.X.X, please upgrade to UAA
Release to v2.7.4.7 [5]
-

For users using UAA bosh release, please upgrade to UAA-Release v16
[6] if upgrading to v3.7.0 [2] ,v12.5 [7] if upgrading to v3.4.4[3] or
v11.5 [8] if upgrading to v3.3.0.5[4]

Credit

GE Digital Security Team
References

-

[1] https://github.com/cloudfoundry/cf-release/releases/tag/v242
-

[2] https://github.com/cloudfoundry/uaa/releases/tag/3.7.0
-

[3] https://github.com/cloudfoundry/uaa/releases/tag/3.4.4
-

[4] https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.5
-

[5] https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.7
-

[6] https://github.com/cloudfoundry/uaa-release/releases/tag/v16
-

[7] https://github.com/cloudfoundry/uaa-release/releases/tag/v12.5
-

[8] https://github.com/cloudfoundry/uaa-release/releases/tag/v11.5

History

2016-09-26: Initial vulnerability report published