CVE-2016-8218 Unauthenticated JWT signing algorithm in routing
Severity
Critical
References
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- Vulnerable cf-release versions listed here
- PCF Elastic Runtime 1.8.x versions prior to 1.8.21
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry project recommends mitigations for OSS users here
- Upgrade PCF Elastic Runtime 1.8.x versions to 1.8.21
Special Note for 1.7.x and 1.8.x Ops Manager Deployments
The 1.7.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x or 1.8.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.