Support Content Notification - Support Portal

UAA Failure to Remove External User Access-CVE-2024-38806

Product/Component

Notification Id

24827

Last Updated

25 July 2024

Initial Publication Date

25 July 2024

Status

OPEN

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

Advisory ID:	TNZ-2024-0102
Severity:	Low
CVSSv3 Range:	3.1
Issue date:	2024-07-11
Updated on:	2024-07-11
CVE(s)	CVE-2024-38806
Synopsis:	TNZ-2024-0102: Tanzu Application Service 4.0.24+LTS-T, 5.0.14 and 6.0.4+LTS-T or below (CVE-2024-38806)

Impacted Products

Tanzu Application Service 4.0.24+LTS-T, 5.0.14 and 6.0.4+LTS-T or below

UAA Release v77.10.0 or below

Introduction

If UAA is configured to proxy to an external OIDC or SAML provider and a federated user has their group permissions changed the UAA shadow account did not correctly update those group permission changes. Patches are available to remediate this vulnerability in affected Tanzu products.

UAA Shadow Account permissions (CVE-2024-38806)

Description:
Expected behavior: When UAA is configured to proxy to an external OIDC or SAML provider, and when UAA is configured (using the UAA group mapping feature) to convert the external provider user groups into the corresponding internal UAA user groups. After an initial user login triggered an initial group conversion, if then an admin removes a user from a group in the external provider, upon the user’s subsequent logins with UAA, UAA should remove the user from the corresponding UAA internal groups as well.

Actual behavior (in UAA Release v77.10.0 or below): UAA might not perform this group removal correctly, and as a result, the user might retain outdated access in UAA that they should not have.

Known Attack Vectors:
There are no known attack vectors. If an account is compromised then it may be possible to gain access to UAA controled group permissions that were not properly corrected.

Resolution:
Upgrade to the patched release version, or newer:

Upgrade to Tanzu Application Service 4.0.25+LTS-T, 5.0.15 and 6.0.5+LTS-T or higher to prevent this issue.
If you suspect that your existing users have retained outdated access due to this issue, we recommend that you remove the UAA shadow user (UAA’s local cache of the external provider user) via UAA’s user delete endpoint, so that the UAA shadow user and its groups can be repopulated later.

Workarounds:
Any of the following are valid workarounds depending on your environment/traffic needs:

Upgrade to the patched release version or newer

Acknowledgements:
@Rohit04061992 for reporting

@strehle for fixing

References:

Fixed Version(s):

Upgrade to Tanzu Application Service 4.0.25+LTS-T, 5.0.15 and 6.0.5+LTS-T or higher

Cloud Foundry Advisory Link:

https://www.cloudfoundry.org/blog/cve-2024-38806-uaa-failure-to-remove-shadow-users-access/

CVSSv3 Calculator:

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N/E:P/RL:O/RC:R/CR:M/IR:M/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:C/MC:X/MI:N/MA:N

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:H/UI:R/S:C[…]M/AR:L/MAV:N/MAC:L/MPR:H/MUI:R/MS:C/MC:X/MI:N/MA:N&version=3.1?

Change Log:

2024-07-23 TNZ-2024-0102

Initial security advisory

Contact:

E-mail: [email protected]

VMware Tanzu Security Advisories
https://support.broadcom.com/group/ecx/security-advisory?segment=VT

VMware Security & Compliance Blog
https://tanzu.vmware.com/content/vmware-tanzu-and-security