All Vulnerability Reports

CVE-2018-11081: Ops Manager writes UAA credentials to disk


Severity

High

Vendor

Pivotal

Description

Ops Manager, versions 2.2.x versions prior to 2.2.1, 2.1.x versions prior to 2.1.11, 2.0.x versions prior to 2.0.16, fails to write the UAA config onto the temp ram disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Ops manager VM can now file search and find the Ops Manager UAA credentials on the system disk.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Ops Manager
    • 2.2 versions prior to 2.2.1
    • 2.1 versions prior to 2.1.11
    • 2.0 versions prior to 2.0.16
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Ops Manager: 2.2.1, 2.1.11, 2.0.16
Credit

This vulnerability was responsibly reported by Pivotal.

History

2018-09-27: Initial vulnerability report published