CVE-2016-0898 Service backups log AWS key
Some versions of ‘MySQL for PCF’ tiles were discovered to log the AWS access key in plain text. These credentials were logged to the Service Backup component logs, and not the system log, thus were not exposed outside the Service Backup VM.
Severity is low unless otherwise noted.
- MySQL for PCF 1.7.x versions prior to 1.7.10
Users of affected versions should apply the following mitigation:
- Upgrade MySQL for PCF to 1.7.10 or later
- The following versions do not need upgrading for this issue:
- MySQL for PCF 1.6.x
- MySQL for PCF 1.8.x and above
- We recommend rotating the AWS access key used for MySQL backups.
This vulnerability was responsibly reported by a Pivotal Team.
2016-12-28: Initial vulnerability report published