Pivotal Application Security Team


Overview

The Pivotal Application Security Team provides a single point of contact for the reporting of security vulnerabilities in Pivotal products and coordinates the process of investigating any reported vulnerabilities.

Reporting a vulnerability

We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.

Please note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in Pivotal products and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security related queries at this address.

The e-mail address to use to contact the Pivotal Application Security Team is security@pivotal.io.

The fingerprint is: 16F6 51BF 4637 F486 C5E2 4635 19BB 5184 0191 92ED

It can be obtained from a public key server such as pgp.mit.edu.


Pivotal Product Vulnerability Reports
Date   CVE Reference   Description
27 Jul 2016 CVE-2016-0896 IaaS Metadata Endpoint Accessible from Application Containers
15 Jul 2016 CVE-2016-0929 RabbitMQ for PCF vulnerability
07 Jul 2016 CVE-2016-5007 Spring Security / MVC Path Matching Inconsistency
07 Jul 2016 CVE-2016-0926 Apps Manager XSS vulnerability
05 Jul 2016 CVE-2016-4977 Remote Code Execution (RCE) in Spring Security OAuth
29 Jun 2016 CVE-2016-0928 PCF Open Redirects
24 Jun 2016 CVE-2016-0897 Ops Manager vSphere and vCloud vulnerability
23 Jun 2016 CVE-2016-0927 Ops Manager XSS vulnerability
11 Apr 2016 CVE-2016-2173 Remote Code Execution in Spring AMQP​​​​
23 Mar 2016 CVE-2016-0780 Cloud Controller Disk Quota Enforcement
23 Mar 2016 CVE-2016-2165 Loggregator Request URL Paths
23 Mar 2016 CVE-2016-0781 UAA Persistent XSS Vulnerability
03 Feb 2016   CVE-2016-0883   PCF Ops Manager Weak Authentication Scheme
12 Nov 2015   CVE-2015-5258   Spring Social CSRF
15 Oct 2015   CVE-2015-5211   RFD Attack in Spring Framework
30 Jun 2015   CVE-2015-3192   DoS Attack with XML Input
06 Mar 2015   CVE-2015-0201   Insufficiently random session id in Java SockJS client
11 Nov 2014   CVE-2014-3625   Directory Traversal in Spring Framework
05 Sep 2014   CVE-2014-3578   Directory Traversal in Spring Framework
15 Aug 2014   CVE-2014-3527   Access Control Bypass in Spring Security
28 May 2014   CVE-2014-0225   Information Disclosure when using Spring MVC
11 Mar 2014   CVE-2014-1904   XSS when using Spring MVC
11 Mar 2014   CVE-2014-0097   Blank password may bypass user authentication
11 Mar 2014   CVE-2014-0054   Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE)
19 Feb 2014   CVE-2014-0053   Information Disclosure when using Grails
14 Jan 2014   CVE-2013-6430   Possible XSS when using Spring MVC
14 Jan 2014   CVE-2013-6429   Incomplete fix for CVE-2013-7315 (XXE)
22 Aug 2013   CVE-2013-7315   Xml eXternal Entity (XXE) injection in Spring Framework
22 Aug 2013   CVE-2013-4152   Xml eXternal Entity (XXE) injection in Spring Framework

Notable Vulnerabilities in Dependencies[1]
Date   CVE Reference   Description Affected Pivotal Product(s)
18 Aug 2016 CVE-2016-5016 UAA accepts expired certificates Cloud Foundry, Pivotal Cloud Foundry (PCF)
26 Jul 2016 CVE-2016-5006 Cloud Controller API logs user-provided service credentials Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jul 2016 CVE-2016-4450 Nginx Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jul 2016 USN 3010-1 Expat vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jul 2016 USN 3012-1 Wget vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
01 Jul 2016 USN 3020-1 Linux kernel (Vivid HWE) vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
30 Jun 2016 CVE-2016-4468 UAA SQL Injection Cloud Foundry, Pivotal Cloud Foundry (PCF)
15 Jun 2016 USN-3001-1 Linux kernel (Vivid HWE) vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 CVE-2016-4435 BOSH Agent Anonymous Endpoint Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2994-1 libxml2 vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2991-1 nginx vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2990-1 ImageMagick vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2987-1 GD library vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2985-2 GNU C Library regression Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2983-1 Expat vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2981-1 libarchive vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2966-1 OpenSSH vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Jun 2016 USN-2961-1 Little CMS vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
08 Jun 2016 CVE-2013-7456 PHP vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
03 Jun 2016 USN-2970-1 Linux kernel (Vivid HWE) vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
23 May 2016 CVE-2016-3084 UAA Password Reset Vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 May 2016 USN-2977-1 Linux kernel (Vivid HWE) vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
17 May 2016 CVE-2016-3091 Diego log encoding vulnerability Diego-release
06 May 2016 USN-2959-1 OpenSSL vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
06 May 2016 USN-2957-1 Libtasn1 vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
06 May 2016 USN-2949-1 Linux kernel (Vivid HWE) vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
06 May 2016 USN-2943-1 PCRE vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
06 May 2016 USN-2935-2 PAM regression Cloud Foundry, Pivotal Cloud Foundry (PCF)
02 May 2016 CVE-2015-5170-5173 UAA vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
14 Apr 2016 Badlock bug Samba and Windows Vulnerabilities n/a
24 Mar 2016 USN-2939-1 LibTIFF vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 USN-2927-1 Graphite2 vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 USN-2925-1 Bind9 vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 USN-2919-1 JasPer vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 USN-2918-1 Pixman vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 USN-2916-1 Perl vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 USN-2914-1 OpenSSL vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 NPM Ownership Issue Warning about NPM modules Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Mar 2016 USN-2938-1 Git vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
16 Mar 2016 USN-2932-1 Linux kernel vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
02 Mar 2016 CVE-2016-0800 OpenSSL vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
26 Feb 2016 USN-2910-1 Linux kernel vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
26 Feb 2016 CVE-2016-0761 Garden Docker Image Host Files Corruption Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 Feb 2016 USN-2900-1 GNU libc vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
02 Feb 2016 CVE-2016-0732 UAA Privilege Escalation Cloud Foundry, Pivotal Cloud Foundry (PCF)
22 Jan 2016 USN-2871-1 Linux kernel vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
20 Jan 2016 CVE-2016-0715 Java Buildpack vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 Jan 2016 USN-2865-1 GnuTLS vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 Jan 2016 USN-2861-1 libpng vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 Jan 2016 USN-2868-1 DHCP vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 Jan 2016 USN-2869-1 OpenSSH vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
18 Jan 2016 CVE-2016-0708 Java Buildpack vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2857-1 Linux kernel vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2842-1/USN-2842-2 Linux kernel vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2837-1 bind vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2836-1 GRUB vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2835-1 git vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2834-1 libxml vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2830-1 OpenSSL vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Jan 2016 USN-2829-1 Linux kernel vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
15 Dec 2015 CVE-2015-5350 Garden Linux File vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
04 Dec 2015 USN-2821-1 GnuTLS vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
04 Dec 2015 USN-2820-1 dpkg vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
02 Dec 2015 USN-2815-1 PNG vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
02 Dec 2015 USN-2812-1 libxml2 vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
02 Dec 2015 USN-2810-1 Kerberos vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
02 Dec 2015 USN-2787-1 audiofile vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
24 Nov 2015 USN-2788-1/2788-2 unzip vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
12 Nov 2015 USN-2806-1 Linux kernel vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
12 Nov 2015 USN-2798-1 Linux kernel vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
03 Nov 2015 USN-2767-1 GDK-Pixbuf library vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
03 Nov 2015 USN-2778-1 Linux kernel vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
07 Oct 2015 Golang Golang 1.4.3 CVE Fixes Cloud Foundry, Pivotal Cloud Foundry Suite
07 Oct 2015 USN-2722-1 GDK-PixBuf Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
07 Oct 2015 USN-2711-1 Net-SNMP Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
07 Oct 2015 USN-2739-1 FreeType Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
07 Oct 2015 USN-2740-1 ICU Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
07 Oct 2015 USN-2751-1 Linux Kernel (Vivid HWE) Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
07 Oct 2015 USN-2756-1 rpcbind Vulnerability Cloud Foundry, Pivotal Cloud Foundry Suite
07 Oct 2015 USN-2765-1 Linux Kernel (Vivid HWE) Vulnerability Cloud Foundry, Pivotal Cloud Foundry Suite
08 Sep 2015 USN-2710-1 OpenSSH Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
08 Sep 2015 USN-2698-1 SQLite Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
08 Sep 2015 USN-2694-1 PCRE Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
08 Sep 2015 USN-2718-1 Address Configuration Change Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry Suite
06 Aug 2015 USN-2696-1 OpenJDK 7 Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
29 Jul 2015 CVE-2015-3290 Linux Kernel NMI vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
10 Jul 2015 CVE-2015-1420 file_handle size verification Cloud Foundry, Pivotal Cloud Foundry (PCF)
10 Jul 2015 CVE-2015-3281 HAProxy vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
06 Jul 2015 CVE-2015-1330 Unattended-upgrades vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
25 Jun 2015 CVE-2015-3189 Expire old reset password links Cloud Foundry, UAA, Pivotal Cloud Foundry (PCF)
25 Jun 2015 CVE-2015-3190 Open Redirect on Login Cloud Foundry, UAA, Pivotal Cloud Foundry (PCF)
25 Jun 2015 CVE-2015-3191 CSRF attack on change email Cloud Foundry, UAA, Pivotal Cloud Foundry (PCF)
17 Jun 2015 CVE-2015-1328 overlayfs privilege escalation Cloud Foundry, Pivotal Cloud Foundry (PCF)
12 Jun 2015 USN-2639-1 openssl updates Cloud Foundry, Pivotal Cloud Foundry (PCF)
12 Jun 2015 CVE-2015-3636 ipv4 use-after-free Cloud Foundry, Pivotal Cloud Foundry (PCF)
09 Jun 2015 Redis LUA Sandbox Redis Cloud Foundry, Pivotal Cloud Foundry (PCF)
22 May 2015 CVE-2015-1834 CC Path Traversal Cloud Foundry, Pivotal Cloud Foundry (PCF)
22 May 2015 USN-2617-1 FUSE Vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
30 Apr 2015 CVE-2015-1855 Ruby OpenSSL Hostname Verification Cloud Foundry, Pivotal Cloud Foundry (PCF)
23 Mar 2015 CVE-2015-0282 Multiple GnuTLS Vulnerabilities Cloud Foundry
21 Mar 2015 USN-2537 Multiple OpenSSL Vulnerabiliies Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 Mar 2015 CVE-2014-8159 Linux Kernel Infiniband Vulnerability
09 Feb 2015 CVE-2014-0227 Apache Tomcat Request ​​Smuggling Pivotal tc Server
28 Jan 2015   CVE-2015-0235   GHOST Cloud Foundry, Pivotal Cloud Foundry (PCF)
16 Oct 2014   CVE-2014-3566   POODLE (SSLv3) Cloud Foundry, Pivotal Cloud Foundry (PCF)
29 Sep 2014   CVE-2014-7186   Bash Out-of Bonds Cloud Foundry, Pivotal Cloud Foundry (PCF)
25 Sep 2014   CVE-2014-6271   Bash - ShellShock Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 Sep 2014   CVE-2014-5119   glib_gconv_translit_find() exploit Cloud Foundry, Pivotal Cloud Foundry (PCF)
10 Sep 2014   CVE-2013-4444   Apache Tomcat Remote Code Execution​​ Pivotal tc Server
18 Aug 2014   CVE-2014-3153   Futex requeue exploit Cloud Foundry
Pivotal Cloud Foundry (PCF)
5 Jun 2014   CVE-2014-0224   SSL/TLS MITM Vulnerability vFabric Web Server
Pivotal Web Server
Enterprise Ready Server (ERS)
Greenplum Command Center (GPCC)
Greenplum Database (GPDB)
HAWQ
Pivotal Command Center (PCC)
Pivotal App Suite Virtual Appliance
GemFire Native Client
10 Apr 2014   CVE-2014-0160   Heartbleed vFabric Web Server
vFabric GemFire Native Client
Pivotal GemFire Native Client
Pivotal Command Center
Pivotal App Suite Virtual Appliance

[1] This table is not yet a complete list of vulnerabilities in dependencies. Formulating such a list is an extensive undertaking which Pivotal is addressing systematically. When this table becomes a complete and comprehensive list, we will remove this footnote.



Thanks

The Pivotal Security Team would like to thank the following individuals and companies for responsibly reporting a security issue. Names appear in the order vulnerability reports were received, most recent first.

  • SaifAllah benMassaoud
  • Pradeep Kumar
  • Muhammad Abdullah
  • Koutrouss Naddara

Note: Reports of vulnerabilities in Pivotal products are listed in the credit section of the associated security announcement.