Security issues with v76.6.0 (2 Critical, 7 High, 2 Medium)

[VuQuangAnh]

Hi guys,

Our osscan system has detected some critical outdate d libs that coming from https://github.com/cloudfoundry/uaa/blob/develop/uaa/slate/Gemfile.lock

CVE-2020-14001 kramdown-1.13.2.gem
CVE-2014-10077 i18n-0.7.0.gem
WS-2017-0158 haml-4.0.7.gem
CVE-2017-1002201 haml-4.0.7.gem
CVE-2020-8165 activesupport-5.0.1.gem
CVE-2023-22796 activesupport-5.0.1.gem
CVE-2022-44572 rack-2.0.9.1.gem
CVE-2022-44571 rack-2.0.9.1.gem
CVE-2022-44570 rack-2.0.9.1.gem
CVE-2017-4960 uaa-v76.5.0
CVE-2017-4973 uaa-v76.5.0

Any planning on fixing them on your roadmap ?
Appreciate your help on this.

Nguyen

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/184582601

The labels on this github issue will be updated when the story is started.

[strehle]

CVE-2017-4960 uaa-v76.5.0
CVE-2017-4973 uaa-v76.5.0

There are false-positives, because they are related to UAA itself. They may be a result because at this time UAA has a different versioning to uaa-release.

Everything inside https://github.com/cloudfoundry/uaa/blob/develop/uaa/slate/Gemfile.lock is not an issue in UAA runtime, because UAA is a java based application, but it is an issue in creating the API documentation https://docs.cloudfoundry.org/api/uaa

[VuQuangAnh]

CVE-2017-4960 : An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 through v3.11.0, and UAA Bosh Release v21 through v26. There is a potential to subject the UAA OAuth clients to a denial of service attack.

[VuQuangAnh]

CVE-2017-4973 An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. A vulnerability has been identified with the groups endpoint in UAA allowing users to elevate their privileges.

[strehle]

both issues solved with 76.5.0

[VuQuangAnh]

Both are detected with latest version 76.5.0
Source file is https://github.com/cloudfoundry/uaa/blob/develop/model/src/main/java/org/cloudfoundry/identity/uaa/provider/LockoutPolicy.java
Latest commit was 6 years ago
CVE-2017-4960, top fix is Upgrade to version org.cloudfoundry.identity:cloudfoundry-identity-model:3.12.0
CVE-2017-4973, top fix is Upgrade to version cf-release - v257;UAA release- v2.7.4.14,v3.6.8,v3.9.10,v3.15.0;UAA bosh release - v13.12,v24.7,v30

[strehle]

I dont know why but both are false positives , e.g.
#2055

Fixes were done with - see release notes
https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.14
https://github.com/cloudfoundry/uaa/releases/tag/3.12.0

@bruce-ricard about https://github.com/cloudfoundry/uaa/releases/tag/3.12.0 we may should discuss about format

[bruce-ricard]

For me, the most convincing are the top fix recommendations:

GHSA-hxgw-7539-pv7r, top fix is Upgrade to version org.cloudfoundry.identity:cloudfoundry-identity-model:3.12.0
GHSA-pgjc-gc7g-p2c6, top fix is Upgrade to version cf-release - v257;UAA release- v2.7.4.14,v3.6.8,v3.9.10,v3.15.0;UAA bosh release - v13.12,v24.7,v30

these are very old versions that are already being used.

[strehle]

all reported issues here should be solved now, last one with #2257

[strehle]

close it now, solved with 76.11.0