CVE-2016-0898 Service backups log AWS key
Severity
Low
Vendor
Pivotal
Description
Some versions of ‘MySQL for PCF’ tiles were discovered to log the AWS access key in plain text. These credentials were logged to the Service Backup component logs, and not the system log, thus were not exposed outside the Service Backup VM.
Affected VMware Products and Versions
Severity is low unless otherwise noted.
- MySQL for PCF 1.7.x versions prior to 1.7.10
Mitigation
Users of affected versions should apply the following mitigation:
- Upgrade MySQL for PCF to 1.7.10 or later
- The following versions do not need upgrading for this issue:
- MySQL for PCF 1.6.x
- MySQL for PCF 1.8.x and above
- We recommend rotating the AWS access key used for MySQL backups.
Credit
This vulnerability was responsibly reported by a Pivotal Team.
References
History
2016-12-28: Initial vulnerability report published