CVE-2016-5016 UAA accepts expired certificates
High
Cloud Foundry Foundation
UAA uses the OpenJDK Java Runtime Environment TrustManager to store trusted certificates. TrustManager does not by default check certificates for expiration. UAA was found to accept expired certificates.
Users of affected versions should apply the following mitigation:
For standalone UAA users:
Krolim
[1] <https://github.com/cloudfoundry/cf-release/releases/tag/v240>
[2] <https://github.com/cloudfoundry/uaa/releases/tag/2.7.4.6>
[3] <https://github.com/cloudfoundry/uaa/releases/tag/3.3.0.3>
[4] <https://github.com/cloudfoundry/uaa/releases/tag/3.4.2>
[5] <https://github.com/cloudfoundry/uaa-release/releases/tag/v12.3>
[6] <https://github.com/cloudfoundry/uaa-release/releases/tag/v11.3>
2016-August-18: Initial vulnerability report published