All Vulnerability Reports

CVE-2016-0898 Service backups log AWS key


Severity

Low

Vendor

Pivotal

Description

Some versions of ‘MySQL for PCF’ tiles were discovered to log the AWS access key in plain text. These credentials were logged to the Service Backup component logs, and not the system log, thus were not exposed outside the Service Backup VM.

Affected Pivotal Products and Versions

Severity is low unless otherwise noted.

  • MySQL for PCF 1.7.x versions prior to 1.7.10
Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade MySQL for PCF to 1.7.10 or later
  • The following versions do not need upgrading for this issue:
    • MySQL for PCF 1.6.x
    • MySQL for PCF 1.8.x and above
  • We recommend rotating the AWS access key used for MySQL backups.
Credit

This vulnerability was responsibly reported by a Pivotal Team.

References
History

2016-12-28: Initial vulnerability report published