Pivotal Application Security Team


Overview

The Pivotal Application Security Team provides a single point of contact for the reporting of security vulnerabilities in Pivotal products and coordinates the process of investigating any reported vulnerabilities.

Reporting a vulnerability

We strongly encourage people to report security vulnerabilities privately to our security team before disclosing them in a public forum.

Please note that the e-mail address below should only be used for reporting undisclosed security vulnerabilities in Pivotal products and managing the process of fixing such vulnerabilities. We cannot accept regular bug reports or other security related queries at this address.

The e-mail address to use to contact the Pivotal Application Security Team is security@pivotal.io.

The fingerprint is: 7316 4408 E208 B232 D37B F320 A499 5C57 4AF3 65DA

It can be obtained from a public key server such as pgp.mit.edu.


Pivotal Product Vulnerability Reports
Date   CVE Reference   Description
30 June 2015   CVE-2015-3192   DoS Attack with XML Input
06 March 2015   CVE-2015-0201   Insufficiently random session id in Java SockJS client
11 November 2014   CVE-2014-3625   Directory Traversal in Spring Framework
05 September 2014   CVE-2014-3578   Directory Traversal in Spring Framework
15 August 2014   CVE-2014-3527   Access Control Bypass in Spring Security
28 May 2014   CVE-2014-0225   Information Disclosure when using Spring MVC
11 March 2014   CVE-2014-1904   XSS when using Spring MVC
11 March 2014   CVE-2014-0097   Blank password may bypass user authentication
11 March 2014   CVE-2014-0054   Incomplete fix for CVE-2013-7315 / CVE-2013-6429 (XXE)
19 February 2014   CVE-2014-0053   Information Disclosure when using Grails
14 January 2014   CVE-2013-6430   Possible XSS when using Spring MVC
14 January 2014   CVE-2013-6429   Incomplete fix for CVE-2013-7315 (XXE)
22 August 2013   CVE-2013-7315   Xml eXternal Entity (XXE) injection in Spring Framework
22 August 2013   CVE-2013-4152   Xml eXternal Entity (XXE) injection in Spring Framework

Notable Vulnerabilities in Dependencies[1]
Date   CVE Reference   Description Affected Pivotal Product(s)
06 August 2015 USN-2696-1 OpenJDK 7 Vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
29 July 2015 CVE-2015-3290 Linux Kernel NMI vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
10 July 2015 CVE-2015-1420 file_handle size verification Cloud Foundry, Pivotal Cloud Foundry (PCF)
10 July 2015 CVE-2015-3281 HAProxy vulnerabilities Cloud Foundry, Pivotal Cloud Foundry (PCF)
06 July 2015 CVE-2015-1330 Unattended-upgrades vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
25 June 2015 CVE-2015-3189 Expire old reset password links Cloud Foundry, UAA, Pivotal Cloud Foundry (PCF)
25 June 2015 CVE-2015-3190 Open Redirect on Login Cloud Foundry, UAA, Pivotal Cloud Foundry (PCF)
25 June 2015 CVE-2015-3191 CSRF attack on change email Cloud Foundry, UAA, Pivotal Cloud Foundry (PCF)
17 June 2015 CVE-2015-1328 overlayfs privilege escalation Cloud Foundry, Pivotal Cloud Foundry (PCF)
12 June 2015 USN-2639-1 openssl updates Cloud Foundry, Pivotal Cloud Foundry (PCF)
12 June 2015 CVE-2015-3636 ipv4 use-after-free Cloud Foundry, Pivotal Cloud Foundry (PCF)
09 June 2015 Redis LUA Sandbox Redis Cloud Foundry, Pivotal Cloud Foundry (PCF)
22 May 2015 CVE-2015-1834 CC Path Traversal Cloud Foundry, Pivotal Cloud Foundry (PCF)
22 May 2015 USN-2617-1 FUSE Vulnerability Cloud Foundry, Pivotal Cloud Foundry (PCF)
30 April 2015 CVE-2015-1855 Ruby OpenSSL Hostname Verification Cloud Foundry, Pivotal Cloud Foundry (PCF)
23 March 2015 CVE-2015-0282 Multiple GnuTLS Vulnerabilities Cloud Foundry
21 March 2015 USN-2537 Multiple OpenSSL Vulnerabiliies Cloud Foundry, Pivotal Cloud Foundry (PCF)
13 March 2015 CVE-2014-8159 Linux Kernel Infiniband Vulnerability
09 February 2015 CVE-2014-0227 Apache Tomcat Request ​​Smuggling Pivotal tc Server
28 January 2015   CVE-2015-0235   GHOST Cloud Foundry, Pivotal Cloud Foundry (PCF)
16 October 2014   CVE-2014-3566   POODLE (SSLv3) Cloud Foundry, Pivotal Cloud Foundry (PCF)
29 September 2014   CVE-2014-7186   Bash Out-of Bonds Cloud Foundry, Pivotal Cloud Foundry (PCF)
25 September 2014   CVE-2014-6271   Bash - ShellShock Cloud Foundry, Pivotal Cloud Foundry (PCF)
19 September 2014   CVE-2014-5119   glib_gconv_translit_find() exploit Cloud Foundry, Pivotal Cloud Foundry (PCF)
10 September 2014   CVE-2014-4444   Apache Tomcat Remote Code Execution​​ Pivotal tc Server
18 August 2014   CVE-2014-3153   Futex requeue exploit Cloud Foundry
Pivotal Cloud Foundry (PCF)
5 June 2014   CVE-2014-0224   SSL/TLS MITM Vulnerability vFabric Web Server
Pivotal Web Server
Enterprise Ready Server (ERS)
Greenplum Command Center (GPCC)
Greenplum Database (GPDB)
HAWQ
Pivotal Command Center (PCC)
Pivotal App Suite Virtual Appliance
GemFire Native Client
10 April 2014   CVE-2014-0160   Heartbleed vFabric Web Server
vFabric GemFire Native Client
Pivotal GemFire Native Client
Pivotal Command Center
Pivotal App Suite Virtual Appliance

[1] This table is not yet a complete list of vulnerabilities in dependencies. Formulating such a list is an extensive undertaking which Pivotal is addressing systematically. When this table becomes a complete and comprehensive list, we will remove this footnote.



Thanks

The Pivotal Security Team would like to thank the following individuals and companies for responsibly reporting a security issue. Names appear in the order vulnerability reports were received, most recent first.

  • Muhammad Abdullah
  • Koutrouss Naddara

Note: Reports of vulnerabilities in Pivotal products are listed in the credit section of the associated security announcement.

Close
Glad You're Ready. Let's Get Started!

Let us know how we can contact you.

Thank you!

We'll respond shortly.