cnvd - cnvd-2017-38263

cnvd-2017-38263

Vulnerability from cnvd

Title: Pivotal Cloud Foundry cf-release和UAA拒绝服务漏洞

Description:

Pivotal Cloud Foundry（CF）是美国Pivotal Software公司的一套开源的平台即服务（PaaS）云计算平台，它提供容器调度、持续交付和自动化服务部署等功能。cf-release是PCF的一个发布版本。UAA是PCF的一个身份验证和管理服务终端。

Pivotal CF cf-release和UAA中存在拒绝服务漏洞。攻击者可利用该漏洞废除在同一客户端上用户的令牌，造成拒绝服务。

Severity: 低

Patch Name: Pivotal Cloud Foundry cf-release和UAA拒绝服务漏洞的补丁

Patch Description:

Pivotal CF cf-release和UAA中存在拒绝服务漏洞。攻击者可利用该漏洞废除在同一客户端上用户的令牌，造成拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://www.cloudfoundry.org/ https://www.cloudfoundry.org/cve-2017-8031/ https://pivotal.io/security/cve-2017-8031

Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-8031

Impacted products

Name
['Pivotal Software Cloud Foundry Foundation cf-release v279', 'Pivotal Software UAA 30.，<30.6', 'Pivotal Software UAA 45.，<45.4', 'Pivotal Software UAA 52.*，<52.1']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "101967"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-8031"
    }
  },
  "description": "Pivotal Cloud Foundry\uff08CF\uff09\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u63d0\u4f9b\u5bb9\u5668\u8c03\u5ea6\u3001\u6301\u7eed\u4ea4\u4ed8\u548c\u81ea\u52a8\u5316\u670d\u52a1\u90e8\u7f72\u7b49\u529f\u80fd\u3002cf-release\u662fPCF\u7684\u4e00\u4e2a\u53d1\u5e03\u7248\u672c\u3002UAA\u662fPCF\u7684\u4e00\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u548c\u7ba1\u7406\u670d\u52a1\u7ec8\u7aef\u3002\r\n\r\nPivotal CF cf-release\u548cUAA\u4e2d\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5e9f\u9664\u5728\u540c\u4e00\u5ba2\u6237\u7aef\u4e0a\u7528\u6237\u7684\u4ee4\u724c\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "discovererName": "Pivotal Software",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://www.cloudfoundry.org/\r\nhttps://www.cloudfoundry.org/cve-2017-8031/\r\nhttps://pivotal.io/security/cve-2017-8031",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-38263",
  "openTime": "2017-12-27",
  "patchDescription": "Pivotal Cloud Foundry\uff08CF\uff09\u662f\u7f8e\u56fdPivotal Software\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u5e73\u53f0\u5373\u670d\u52a1\uff08PaaS\uff09\u4e91\u8ba1\u7b97\u5e73\u53f0\uff0c\u5b83\u63d0\u4f9b\u5bb9\u5668\u8c03\u5ea6\u3001\u6301\u7eed\u4ea4\u4ed8\u548c\u81ea\u52a8\u5316\u670d\u52a1\u90e8\u7f72\u7b49\u529f\u80fd\u3002cf-release\u662fPCF\u7684\u4e00\u4e2a\u53d1\u5e03\u7248\u672c\u3002UAA\u662fPCF\u7684\u4e00\u4e2a\u8eab\u4efd\u9a8c\u8bc1\u548c\u7ba1\u7406\u670d\u52a1\u7ec8\u7aef\u3002\r\n\r\nPivotal CF cf-release\u548cUAA\u4e2d\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5e9f\u9664\u5728\u540c\u4e00\u5ba2\u6237\u7aef\u4e0a\u7528\u6237\u7684\u4ee4\u724c\uff0c\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Pivotal Cloud Foundry cf-release\u548cUAA\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Pivotal Software Cloud Foundry Foundation cf-release v279",
      "Pivotal Software UAA 30.*\uff0c\u003c30.6",
      "Pivotal Software UAA 45.*\uff0c\u003c45.4",
      "Pivotal Software UAA 52.*\uff0c\u003c52.1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2017-8031",
  "serverity": "\u4f4e",
  "submitTime": "2017-11-30",
  "title": "Pivotal Cloud Foundry cf-release\u548cUAA\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2017-8031 (GCVE-0-2017-8031)

Vulnerability from cvelistv5

Published

2017-11-27 10:00

Modified

2024-08-05 16:19

Severity ?

CWE

Denial of Service

Summary

An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service.

References

▼	URL	Tags
	https://www.cloudfoundry.org/cve-2017-8031/	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/101967	vdb-entry, x_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1	Version: cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T16:19:29.544Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.cloudfoundry.org/cve-2017-8031/"
          },
          {
            "name": "101967",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/101967"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1"
            }
          ]
        }
      ],
      "datePublic": "2017-11-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-11-29T10:57:01",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.cloudfoundry.org/cve-2017-8031/"
        },
        {
          "name": "101967",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/101967"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security_alert@emc.com",
          "ID": "CVE-2017-8031",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "cf-release and UAA cf-release: All versions prior to v279, UAA: 30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Cloud Foundry Foundation cf-release (all versions prior to v279) and UAA (30.x versions prior to 30.6, 45.x versions prior to 45.4, 52.x versions prior to 52.1). In some cases, the UAA allows an authenticated user for a particular client to revoke client tokens for other users on the same client. This occurs only if the client is using opaque tokens or JWT tokens validated using the check_token endpoint. A malicious actor could cause denial of service."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.cloudfoundry.org/cve-2017-8031/",
              "refsource": "CONFIRM",
              "url": "https://www.cloudfoundry.org/cve-2017-8031/"
            },
            {
              "name": "101967",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/101967"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2017-8031",
    "datePublished": "2017-11-27T10:00:00",
    "dateReserved": "2017-04-21T00:00:00",
    "dateUpdated": "2024-08-05T16:19:29.544Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted