CVE-2016-5016
First published: Mon Apr 24 2017(Updated: )
Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.cloudfoundry.identity:cloudfoundry-identity-server | >=3.4.0<3.4.2 | 3.4.2 |
| maven/org.cloudfoundry.identity:cloudfoundry-identity-server | >=3.0.0<3.3.0.3 | 3.3.0.3 |
| Cloud Foundry | <=239 | |
| Pivotal Cloud Foundry Elastic Runtime | >=1.6.0<1.6.35 | |
| Pivotal Cloud Foundry Elastic Runtime | >=1.7.0<1.7.13 | |
| Cloud Foundry User Account and Authentication (UAA) | <=3.4.1 | |
| Pivotal Software Cloud Foundry UAA | <=12.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/cloudfoundry/cf-release/releases/tag/v240
- https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3
- https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3
- https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6
- https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3
- https://github.com/cloudfoundry/uaa/releases/tag/3.4.2
- https://pivotal.io/security/cve-2016-5016
- https://nvd.nist.gov/vuln/detail/CVE-2016-5016
- https://github.com/cloudfoundry/uaa/commit/0a78612f981c541ad2d997e6a365f2a0b3e799d9
- https://github.com/cloudfoundry/uaa/commit/bc91ccd2029e8f1cea0c647f0c9aad4585f7a2c
- https://github.com/cloudfoundry/uaa/commit/f97049df1c6c03effda5049c41704ac831ff3925
- https://github.com/advisories/GHSA-rc2r-w8jv-vggp (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-5016?
CVE-2016-5016 is classified as a medium severity vulnerability.
How do I fix CVE-2016-5016?
To fix CVE-2016-5016, upgrade to Cloud Foundry UAA version 3.4.2 or later, or to Pivotal Cloud Foundry Elastic Runtime versions 1.6.35 or 1.7.13 and later.
Which versions of Pivotal Cloud Foundry are affected by CVE-2016-5016?
Pivotal Cloud Foundry versions up to 239 are affected by CVE-2016-5016.
What components should I update affected by CVE-2016-5016?
You should update the User Account and Authentication Server (UAA) and Pivotal Cloud Foundry Elastic Runtime components.
Is my version vulnerable if I’m using UAA 3.4.1 or earlier in CVE-2016-5016?
Yes, UAA version 3.4.1 and earlier are vulnerable to CVE-2016-5016.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rc2r-w8jv-vggp
- alias/CVE-2016-5016
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/maven
- vendor/pivotal software
- canonical/cloud foundry
- version/cloud foundry/239
- canonical/pivotal cloud foundry elastic runtime
- version/pivotal cloud foundry elastic runtime/1.6.0
- version/pivotal cloud foundry elastic runtime/1.7.0
- canonical/cloud foundry user account and authentication (uaa)
- version/cloud foundry user account and authentication (uaa)/3.4.1
- canonical/pivotal software cloud foundry uaa
- version/pivotal software cloud foundry uaa/12.2