Cloud Foundry had a privilege escalation bug
Mitigate if you must, patch if you can
Open source devops platform Cloud Foundry has disclosed a potentially nasty bug in its User Account and Authentication server software.
UUA is the Cloud Foundry ID management service, using OAuth2 to issue tokens for client applications that act on behalf of users.
The short version: “Zone administrators are allowed to escalate their privileges when mapping permissions for an external provider.”
The vulnerability note doesn't detail the extent of the elevated privileges, but the organisation rates it as high-severity.
The issue affects nine versions of UAA and cf-release versions prior to v264.
Fortunately, the vulnerability depends on a number of requirements, as Cloud Foundry explains:
- It only affects systems where “you are using multiple zones in UAA”;
- "You are giving out admin privileges for managing external providers (LDAP/SAML/OIDC) and corresponding group mappings"; and
- "You have enabled LDAP/SAML/OIDC providers and external group mappings".
Revising any of these settings serves as a mitigation ahead of implementing a patch, Cloud Foundry says.
The disclosure provides upgrade links for both Cloud Foundry users (upgrade to version 264 or later) and standalone UAA users (UAA 2.x.x users have to move to fixed versions in the 3.x.x series). ®