uaa

IMPORTANT This release contains a new index creation that requires Postgres v9.5 or higher.

FEATURES

[Standalone only] Added some additional configuration options to the tomcat jdbc connection pool, allowing operators deploying UAA to tweak maxWait, validationInterval, testWhileIdle, and minEvictableIdleTimeMillis.

Added a database index on revocable tokens table submitted via PR #1154

Data-source configuration - add more properties to dynamic configuration submitted via PR #1161

Add ability to set portHeader in tomcat's server.xml submitted via PR #128

BUG FIX

Reenable wildcarding of ports when UAA is in legacy redirect matching mode.

DEPENDENCY UPDATES

Bump spring-framework-bom from 5.2.1.RELEASE to 5.2.2.RELEASE
Bump spring-boot from 2.2.1.RELEASE to 2.2.2.RELEASE
Bump guava from 28.1-jre to 28.2-jre

BUG FIX

Purge expired session from in memory map Configuring the UAA to manage sessions in memory resulted in the use of MapSessionRepository to manage sessions. MapSessionRepository does not automatically remove expired sessions from its backing map and neither did the UAA, resulting in a memory leak. The fix registers a scheduled task to remove expired sessions.

Github Issue 1
Github Issue 2
Tracker Story

FEATURE

Merged a github pull request that allows UAA to report health to bosh-dns, matching UAA’s health reporting to route_registrar.

bosh.io releases

FEATURE

Improved logging when credentials are provided via URL params and log_level is set to DEBUG.

bosh.io releases

BUG FIX

Fixes a bug that made a database query crash when a user had too many SCIM group memberships.

DEPENDENCY UPDATES

Bump spring-security-oauth2 from 2.3.7.RELEASE to 2.4.0.RELEASE
Bump spring-security-jwt from 1.0.11.RELEASE to 1.1.0.RELEASE

FEATURES

UAA should set a no-sniff header on the login page to prevent MIME-type sniffing.

Improved logging when credentials are directly submitted via a browser URL.

DEPENDENCY UPDATES

Bump spring-framework-bom from 5.2.0.RELEASE to 5.2.1.RELEASE
Bump spring-boot from 2.2.0.RELEASE to 2.2.1.RELEASE
Bump spring-security-saml2-core from 1.0.9.RELEASE to 1.0.10.RELEASE
Bump New Relic java agent from 3.48.0 to 5.8.0

bosh.io releases

BUG FIXES

Fixes a bug that made the UAA only able to start if it was connected to the internet.

Warning

This version of UAA will not start unless the UAA has internet access. This bug will be fixed in our next release.

bosh.io releases

BUG FIXES

Fixes a bug that made the UAA fail to start up successfully any time the env.no_proxy property was set.

DEPENDENCY UPDATES

Bump hamcrest from 2.1 to 2.2
Bump googleauth from 1.2.0 to 1.4.0
Bump jackson from 2.9.9.3 to 2.10.0
Bump spring-security-oauth2 from 2.3.6.RELEASE to 2.3.7.RELEASE
Bump Spring Boot from 2.1.9.RELEASE to 2.2.0.RELEASE

FEATURES

Added option to enable basic auth uri encoding compatibility mode: This feature is meant to complement functionality released as a breaking change in UAA v74.0.0 wherein we enabled the Correct handling of special characters within the client secret. The added feature in this release provides optionality as to whether encoding of client secrets is enabled by introducing ‘uaa.authentication.enable_uri_encoding_compatibility_mode’. When enabled (set to true) basic auth credentials will only be URI decoded when the X-CF-ENCODED-CREDENTIALS header is set to true. The default continues to operate in the same manner as v74.0.0 introduced.

DEPENDENCY UPDATES

Bump reflections from 0.9.10 to 0.9.11
Bump org.eclipse.jgit from 3.4.1.201406201815-r to 5.5.1.201910021850-r
Bump bouncycastle from 1.63 to 1.64
Bump cglib from 3.2.5 to 3.3.0
Bump apacheds-core from 1.5.5 to 2.0.0.AM25
Bump apacheds-protocol-ldap from 1.5.5 to 2.0.0.AM25
Bump httpclient from 4.5.3 to 4.5.10
Bump spring-security-jwt from 1.0.10.RELEASE to 1.0.11.RELEASE

bosh.io releases

BREAKING CHANGES

Session configuration options have been simplified.

• The uaa.servlet.session-cookie configuration now only supports the max-age property.
• The following configurations are no longer available: secure, http-only, name, comment, path, and domain.

FEATURES

Session management has been migrated to Spring Session. As a result, please consider the following changes before upgrading to this version:

• The uaa.servlet.session-store configuration is used to determine the backend where sessions will be stored.
• Valid configuration options are: memory and database.
  • Default Configuration: The memory option uses an in memory map structure on a per UAA basis. This is suitable for a single UAA or multiple UAAs if a session affinity strategy is employed at the routing layer. Sessions are destroyed if the UAA goes down for any reason. This is the same behavior the UAA had before this release.
  • The database option uses the configured database as a session store. This will allow horizontal scaling by externalizing the session, but will increase the volume of database reads/writes. Sessions will be maintained in the event of UAA downtime.

DEPENDENCY UPDATES

Bump spring-framework-bom from 5.1.9.RELEASE to 5.2.0.RELEASE

FEATURES

Remove the previously deprecated "/password/score" endpoint

Set UAA's Current-User cookie to use secure attribute

BUG FIXES

Regain ability to cf push the UAA

DEPENDENCY UPDATES

Bump Spring Boot from 2.1.8.RELEASE to 2.1.9.RELEASE

BREAKING CHANGES

UAA source and runtime target has been changed to Java version 11. Consumers of this release need to account for the Java version upgrade within their environment before upgrading.

FEATURES

Mark /check_token endpoint as deprecated; recommend use of /introspect instead
Endpoint /introspect allow a bearer token authentication

DEPENDENCY UPDATES

Bump postgresql from 42.2.6 to 42.2.8
Bump lombok from 1.18.8 to 1.18.10
Bump jackson from 2.9.9 to 2.9.10
Bump bouncycastle from 1.62 to 1.63
Bump nokogiri from 1.8.5 to 1.10.4

FEATURES

Added the ability to forward the IP address of the caller to the IdP when using OIDC password grant

Improved UAA’s ability to reconnect to its database upon VM restart; eliminating UAA’s former 503/Failure mode

SECURITY

CVE-2019-11279: Addressed a privilege escalation via scope manipulation in UAA
CVE-2019-11278: Addressed a privilege escalation via blind SCIM injection in UAA

BUG FIXES

Fixed a bug that could potentially cause unnecessary and failing requests to the database

Added a missing audit log event, when the authentication with the external IdP is not successful - specifically for the OIDC password grant flow

DEPENDENCY UPDATES

Bump Spring Boot from 2.1.6.RELEASE to 2.1.7.RELEASE
Bump log4j2 from 2.12.0 to 2.12.1
Bump slf4j-api from 1.7.27 to 1.7.28
Bump groovy from 2.5.7 to 2.5.8
Bump scim-sdk from 1.8.21 to 1.8.22
Bump snakeyaml from 1.24 to 1.25
Bump tomcat from 9.0.22 to 9.0.24
Bump api-ldap-model from 1.0.0 to 1.0.3 [Security CVE-2019-0231]
Bump mockito from 2.13.0 to 3.0.0
Bump flyway-core from 5.2.4 to 6.0.0
Bump guava from 28.0-jre to 28.1-jre

bosh.io releases Stories included in this release are prepared by @dbeneke

Breaking Changes

Removed uaa_postgres job from uaa-release and recommend migration to postgres-release.

• If you relied on uaa_postgres, you will need to follow these steps to migrate your data when you upgrade to UAA version 74.0.0. Note that you will incur downtime during this migration:
  • $ mkdir -p /var/vcap/store/postgres/postgres-11.1
  • $ chmod 0700 /var/vcap/store/postgres/postgres-11.1
  • $ cp -r /var/vcap/store/uaa_postgres-11.1/* /var/vcap/store/postgres/postgres-11.1
• Migrating from uaa_postgres to postgres-release can be done without incurring a postgres upgrade by pinning the postgres-release version to v35

Update bbr-uaadb job to use bosh-properties first, then bosh-links to ensure more consistent backup/restore experience; expanding backup coverage to the bosh director.

• It’s expected that consumers will need to remove release_level_backup property from the the uaa job and add it to the bbr-uaadb job.
  • If these steps are not followed, bosh create-release will fail.
  • In the uaa job: The release_level_backup BOSH property in the uaa job's spec file has been marked as deprecated.
  • In the bbr-uaadb job: A new property called release_level_backup has been added to the bbr-uaadb job; defaulting false.

Correct handling of special characters within the client secret - UAA can now understand client credentials that contain special characters within the secret when provided via basic authentication. However, this change means that any consumers of the UAA’s APIs who provide client credentials via basic authorization will need to change their implementation such that both the client id and client secret are url encoded.

The UAAC has been updated and is required to remain compatible with this fix. Version 4.2.0

The full header would be constructed like this:

• “Authorization: Basic “ + base64encode(urlEncode(clientId):urlEncode(clientSecret))

Features

Users can now regenerate client secrets.

Updates

Deprecate uaa-utils package from `uaa-release.

Bump Tomcat to version 9.0.22.

Bump Spring Security to version 5.1.6.

Bump Spring to version 5.1.9.

Bug Fixes

Fixed a bug that caused the /info endpoint to communicate the incorrect UAA version.

Login success and error messaging on the UAA login page can no longer be manipulated via query.

Sanitize scim filters to prevent XSS attacks in older versions of internet browsers; preventing the browser from potentially executing Javascript.

bosh.io releases Stories included in this release are prepared by @wc22222

Versioning Change

The version(ing) applied to uaa has been synchronized with the version(ing) applied to uaa-release. Uaa-release moved to semantic versioning with version 73.0.0. Both uaa-release and uaa will now follow semantic versioning guidelines.

Discovered Bug

This release introduces a bug that causes the /info endpoint to communicate the incorrect version.

Hotfix

Reverted the unexpected backward incompatible change introduced in Spring Security 5:

• The DelegatingPasswordEncoder change prefixed hashed passwords in the database with {bcrypt} which caused older version of UAA not understand the hashed passwords during rolling upgrade deployment.

Features

• Enhanced Audit Logging When Deleting Users
• SAML IdP initiated single logout support
• Rollback of changes to Create/Delete Audit Events

Bug Fixes

• CVE-2019-11268::UAA should prevent SCIM query injection attacks
• CVE-2015-9251::UAA upgrades jQuery to v3.4.1 from v1.12.3

Updates

• Automatically upgrade the JDK and tomcat versions which are used in uaa-release
• Update jackson (jackson-databind) to 2.9.9 in UAA (cloudfoundry-identity)
• [Security Notice] Apache Tomcat 9.0.13 in uaa 71.0-(2.5) affecting uaals

Warning

Please use the next version of UAA as we identified a backward incompatibility issue in upgrading to Spring Security 5 on 7/19/2019, the next release would revert this unexpected breaking change.

Features

• Improve performance for /Users/ endpoint by 10+ times

Updates

• CVE-2019-3794::UAA should support Content-Security-Policy on email_sent endpoint to prevent clickjacking
• Update to Spring Security 5.1.5
• Bump dependency: Upgrade org.springframework.security:spring-security-core to version 4.2.12 or later

Bug Fixes

• Users should be able to revoke their own tokens without needing uaa.admin or tokens.revoke
• UAA should allow case variations in redirect uri domains
• Documentation Improvement: UAA security administrators can view UAA audit events in https://docs.cloudfoundry.org/
• Documentation Bug: typo in expireInMonths

Stories included in this release are prepared by @wc22222

Features

• Upgrade to Log4j2 logging framework
• [Security Notice] PostgreSQL JDBC Driver (pgjdbc) 42.1.4 in uaa 60.11-(2.3) affecting uaa
• [Security Notice] Apache Xerces2 J 2.10.0 in uaa 4.25.0 affecting uaa
• [Security Notice] Bouncy Castle 1.56 in uaa 4.25.0 affecting uaa
• [Security Notice] Hibernate Validator 4.3.1.Final in uaa 4.25.0 affecting uaa
• [Security Notice] Spring Transaction 4.3.6.RELEASE in uaa 4.25.0 affecting uaa
• UAA should not allow wildcard authorization redirect_uri to redirect to a 3rd party domain

Breaking Changes

UAA BOSH Release should stop accepting http traffic from the public

• Replaces “uaa.port” with “uaa.locahost_http_port” with a default value of 8080 -- this only allows access to the “healthz” endpoint from localhost
• Requires any component communicating with UAA to configure that connection with HTTPS (may require changing ports and providing UAA’s server cert CA to that component)
• See change cf-deployment for example

As a CF operator, I can configure UAA to ignore hostnames in server certificates for TLS connection to database

• Removes old tls properties “uaadb.tls_enabled” and “uaadb.skip_ssl_validation”
• Introduces new property “uaadb.tls” with default “enabled”
• Valid values for “uaadb.tls” are “enabled,” “enabled_skip_hostname_validation,” “enabled_skip_all_validation” and “disabled”

As a Platform Operator, I want to use only BPM to manage the UAA process

• Anyone who used to deploy UAA without co-locating BPM will see deployment failures after upgrading UAA
• Anyone who was already deploying without mentioning bpm.enabled in their manifest (the default was false), or explicitly had bpm.enabled: false, will start using bpm after upgrading.
• Anyone who was already deploying with the bosh property bpm.enabled set to true should be unaffected
• The bosh property bpm.enabled used to enable BPM will be removed and operators and downstream teams who were using it can remove it from their manifest

Uaa-release sometimes fails to deploy with an error about /etc/ssl/certs/ca-certificates.crt

• UAA no longer loads certificates added to the operating system trust store (i.e. /usr/local/share/ca-certificates) after its pre-start script begins.

Simplify the way uaa-release builds the java trust store (no longer adds them to the VM's truststore)

• Certs added via the BOSH property uaa.ca_certs used to be loaded into the vm's trust store. This no longer happens. They also used to be loaded into the UAA's Java JVM's truststore, which still happens.

Upgrade to Log4j2 logging framework

• Updated configuration variable CLOUD_FOUNDRY_CONFIG_PATH to CLOUDFOUNDRY_CONFIG_PATH.
• To provide custom logging configuration, the UAA will still recognize logging.config as a path to a logging configuration file. However, this file must now be Log4j2 format.
• The UAA will no longer recognize logging.file or logging.path as valid Log4j2 configuration variables.

Features

• Dependencies update for TomCat, TomCatJDBCPool and commonsHttpClient
• UAA API Document should reflect correct behavior for new user account provisioning
• UAA will not support MS-SQL server as one of its backend databases
• cloudfoundry/uaa #959: Upgrade to Spring Security SAML 1.0.9.RELEASE
• Publish UAA Standalone 4.30.0 to Maven Central

Bug Fixes

• CVE-2019-3787::UAA should not have an insecure default domain unknown.org
• Use the column "username" consistently in class JdbcScimUserProvisioning

Stories included in this release are prepared by @wc22222

Dependencies Update

• Bump Postgres to 42.2.5
• Bump gradle-cargo-plugin to 2.6
• Bump Spring to 4.3.22
• Bump Hibernate Validator to 6.0.15.Final
• Bump bouncycastle to 1.61