All Vulnerability Reports

CVE-2019-11288: tc Server JMX Socket Listener Registry Rebinding Local Privilege Escalation


Severity

Medium

Vendor

Pivotal

Description

When a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal tc Server
    • 3.2.0 - 3.2.18
    • 4.0.0 - 4.0.9
  • Pivotal tc Runtime
    • 7.0.70.B.RELEASE - 7.0.96.A.RELEASE
    • 8.5.4.B.RELEASE - 8.5.43.B.RELEASE
    • 9.0.6.B.RELEASE - 9.0.22.B.RELEASE

Mitigation

Disable tc Runtime's JmxSocketListener and use the built-in remote JMX facilities provided by the JVM or upgrade to the following versions:

  • Pivotal tc Server
    • 3.2.19
    • 4.0.10+
  • Pivotal tc Runtime
    • 7.0.99.B.RELEASE
    • 8.5.47.A.RELEASE
    • 9.0.27.A.RELEASE+

Credit

This issue was identified and responsibly reported by An Trinh.