CVE-2016-3084

Name of the Vulnerable Software and Affected Versions Cloud Foundry versions prior to v236 UAA versions prior to v3.3.0 UAA versions prior to v10 Login-server all versions Pivotal Elastic Runtime versions prior to 1.7.2

Description The UAA reset password flow is vulnerable to a brute force attack due to multiple active codes at a given time. This issue is applicable only when using the UAA internal user store for authentication. Deployments enabled for integration via SAML or LDAP are not affected.

Recommendations For Cloud Foundry versions prior to v236, update to a version later than v236. For UAA versions prior to v3.3.0, update to a version later than v3.3.0. For UAA versions prior to v10, update to a version later than v10. For Login-server all versions, consider disabling the UAA internal user store for authentication until a patch is available. For Pivotal Elastic Runtime versions prior to 1.7.2, update to a version later than 1.7.2.