All Vulnerability Reports

CVE-2019-3800: CF CLI writes the client id and secret to config file


Severity

Medium

Vendor

Pivotal Cloud Foundry

Description

Cloud Foundry CLI versions prior to v6.45.0, CLI release versions prior to v1.16.0, writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. Various Pivotal and Partner products that consume the CF CLI are affected.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • CF Autoscaling Release versions prior to v219
  • CredHub Service Broker for PCF versions prior to 1.3.2
  • Metric Registrar CLI versions prior to 1.2.0
  • MySQL for PCF
    • 2.5.x versions prior to 2.5.7
    • 2.6.x versions prior to 2.6.3
  • ODB release versions prior to 0.29.0
  • PCF Service Broker for AWS versions prior to 1.4.13
  • Pivotal Application Service (PAS)
    • 2.3.x versions prior to 2.3.15
    • 2.4.x versions prior to 2.4.10
    • 2.5.x versions prior to 2.5.6
  • Pivotal Cloud Cache versions prior to 1.8.1
  • Pivotal Cloud Foundry App Autoscaler versions prior to 2.0.199
  • Pivotal Cloud Foundry Event Alerts versions prior to 1.2.8
  • Pivotal Cloud Foundry Healthwatch
    • 1.4.x versions prior to 1.4.7
    • 1.5.x versions prior to 1.5.4
  • Pivotal Cloud Foundry Metrics versions prior to 1.6.1
  • Pivotal Isolation Segment
    • 2.3.x versions prior to 2.3.1
    • 2.4.x versions prior to 2.4.5
    • 2.5.x versions prior to 2.5.4
  • RabbitMQ for PCF
    • 1.15.x versions prior to 1.15.11
    • 1.16.x versions prior to 1.16.4
  • Redis for PCF
    • 2.0.x versions prior to 2.0.4
    • 2.1.x versions prior to 2.1.3
  • Scheduler for PCF versions prior to 1.2.27
  • Single Sign-On for PCF
    • 1.7.x versions prior to 1.7.5
    • 1.8.x versions prior to 1.8.4
    • 1.9.x versions prior to 1.9.1
  • Spring Cloud Services for PCF versions prior to 2.0.10

Affected Partner Products and Versions

Severity is medium unless otherwise noted.

  • a9s Elasticsearch for PCF versions prior to 2.1.2
  • a9s LogMe for PCF versions prior to 2.1.2
  • a9s MongoDB for PCF versions prior to 2.1.2
  • a9s MySQL versions prior to 2.1.2
  • a9s PostgreSQL versions prior to 2.1.2
  • a9s RabbitMQ for PCF versions prior to 2.1.2
  • a9s Redis for PCF versions prior to 2.1.2
  • Apigee Edge Service Broker for PCF versions prior to 3.1.3
  • AppDynamics Application Analytics for PCF versions prior to 4.7.652
  • AppDynamics Application Performance Monitoring for PCF versions prior to 4.6.64
  • AppDynamics Platform Monitoring for PCF versions prior to 4.7.217
  • Blue Medora Nozzle for PCF versions prior to 3.1.1
  • Contrast Security Service Broker for PCF versions prior to 2.2.0
  • CyberArk Conjur Service Broker for PCF versions prior to 1.1.1
  • DataStax Enterprise Service Broker for PCF versions prior to 1.0.2
  • Datadog Application Monitoring for PCF versions prior to 1.7.0
  • Dynatrace Service Broker for PCF versions prior to 1.4.2
  • ForgeRock Service Broker for PCF versions prior to 2.1.2
  • GCP Service Broker for PCF versions prior to 4.2.3
  • IBM WebSphere Liberty for PCF versions prior to 3.11.0
  • Microsoft Azure Log Analytics Nozzle for PCF versions prior to 1.4.1
  • Microsoft Azure Service Broker for PCF versions prior to 1.4.1
  • New Relic Dotnet Extension Buildpack for PCF versions prior to 1.1.1
  • New Relic Nozzle for PCF versions prior to 1.1.17
  • New Relic Service Broker for PCF versions prior to 1.12.64
  • PagerDuty Service Broker for PCF versions prior to 1.2.4
  • Riverbed SteelCentral AppInternals for PCF versions prior to 10.21.1.-BL516
  • SMB Volume Service for PCF versions prior to 1.1.1
  • Signal Sciences Service Broker for PCF versions prior to 1.1.0
  • Snyk Service Broker for PCF versions prior to 1.0.3
  • Solace PubSub+ for PCF versions prior to 2.3.2
  • Splunk Nozzle for PCF versions prior to 1.1.1
  • Sumo Logic Nozzle for PCF versions prior to 1.0.1
  • Synopsys Seeker IAST Service Broker for PCF versions prior to 1.2.14
  • TIBCO BusinessWorks™ Container Edition Buildpack for PCF versions prior to 2.4.4
  • Wavefront by VMware Nozzle for PCF versions prior to 1.0.2
  • YugaByte DB Enterprise for PCF versions prior to 1.1.8

Mitigation

Users of affected versions should apply the following mitigation:

  • Pivotal releases that have fixed this issue include:CF Autoscaling Release v219
    • CredHub Service Broker for PCF 1.3.2
    • Metric Registrar CLI 1.2.0
    • MySQL for PCF
      • 2.5.7
      • 2.6.3
    • ODB release 0.29.0
    • PCF Service Broker for AWS 1.4.13
    • Pivotal Application Service (PAS)
      • 2.3.14
      • 2.4.10
      • 2.5.6
    • Pivotal Cloud Cache 1.8.1
    • Pivotal Cloud Foundry App Autoscaler 2.0.199
    • Pivotal Cloud Foundry Event Alerts 1.2.8
    • Pivotal Cloud Foundry Healthwatch
      • 1.4.7
      • 1.5.4
    • Pivotal Cloud Foundry Metrics
      • 1.6.1
    • Pivotal Isolation Segment
      • 2.3.1
      • 2.4.5
      • 2.5.4
    • RabbitMQ for PCF
      • 1.15.11
      • 1.16.4
    • Redis for PCF
      • 2.0.4
      • 2.1.3
    • Scheduler for PCF
      • 1.2.27
    • Single Sign-On for PCF
      • 1.7.5
      • 1.8.4
      • 1.9.1
    • Spring Cloud Services for PCF 2.0.10
  • Partner releases that have fixed this issue include:
    • a9s Elasticsearch for PCF 2.1.2
    • a9s LogMe for PCF 2.1.2
    • a9s MongoDB for PCF 2.1.2
    • a9s MySQL 2.1.2
    • a9s PostgreSQL 2.1.2
    • a9s RabbitMQ for PCF 2.1.2
    • a9s Redis for PCF 2.1.2
    • Aerospike EE Managed Service Removed from Pivnet
    • Aerospike Service Broker for PCF Removed from Pivnet
    • Apigee Edge Service Broker for PCF 3.1.3
    • AppDynamics Application Analytics for PCF 4.7.652
    • AppDynamics Application Performance Monitoring for PCF 4.6.64
    • AppDynamics Platform Monitoring for PCF 4.7.217
    • Blue Medora Nozzle for PCF 3.1.1
    • Contrast Security Service Broker for PCF 2.2.0
    • CyberArk Conjur Service Broker for PCF 1.1.1
    • DataStax Enterprise Service Broker for PCF 1.0.2
    • Datadog Application Monitoring for PCF 1.7.0
    • Dynatrace Service Broker for PCF 1.4.2
    • ForgeRock Service Broker for PCF 2.1.2
    • GCP Service Broker for PCF 4.2.3
    • IBM WebSphere Liberty for PCF 3.11.0
    • Microsoft Azure Log Analytics Nozzle for PCF 1.4.1
    • Microsoft Azure Service Broker for PCF 1.4.1
    • New Relic Dotnet Extension Buildpack for PCF 1.1.1
    • New Relic Nozzle for PCF 1.1.17
    • New Relic Service Broker for PCF 1.12.64
    • PagerDuty Service Broker for PCF 1.2.4
    • Riverbed SteelCentral AppInternals for PCF 10.21.1.-BL516
    • SMB Volume Service for PCF 1.1.1
    • Signal Sciences Service Broker for PCF 1.1.0
    • Snyk Service Broker for PCF 1.0.3
    • Solace PubSub+ for PCF 2.3.2
    • Splunk Nozzle for PCF 1.1.1
    • Sumo Logic Nozzle for PCF 1.0.1
    • Synopsys Seeker IAST Service Broker for PCF 1.2.14
    • TIBCO BusinessWorks™ Container Edition Buildpack for PCF 2.4.4
    • Wavefront by VMware Nozzle for PCF 1.0.2
    • YugaByte DB Enterprise for PCF 1.1.8

References

History

2019-07-18: Initial vulnerability report published

2019-08-15: Additional affected products and mitigation added

2019-08-26: Updated product version for Partner product AppDynamics Platform Monitoring for PCF

2019-09-19: Additional affected products and mitigation added