All Vulnerability Reports

CVE-2019-3781: CF CLI does not sanitize user's password in verbose/trace/debug


Severity

High

Vendor

Pivotal Cloud Foundry

Description

Cloud Foundry CLI, versions prior to v6.43.0, CLI Release versions prior to v1.13.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password. Various Pivotal and Partner products that consume the CF CLI are affected.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • CF Autoscaling Release versions prior to v219
  • CredHub Service Broker for PCF versions prior to 1.3.2
  • Metric Registrar CLI versions prior to 1.2.0
  • MySQL for PCF
    • 2.5.x versions prior to 2.5.7
    • 2.6.x versions prior to 2.6.3
  • ODB release versions prior to 0.29.0
  • PCF Service Broker for AWS versions prior to 1.4.13
  • Pivotal Application Service (PAS)
    • 2.3.x versions prior to 2.3.15
    • 2.4.x versions prior to 2.4.10
    • 2.5.x versions prior to 2.5.6
  • Pivotal Cloud Cache versions prior to 1.8.1
  • Pivotal Cloud Foundry App Autoscaler versions prior to 2.0.199
  • Pivotal Cloud Foundry Event Alerts versions prior to 1.2.8
  • Pivotal Cloud Foundry Healthwatch
    • 1.4.x versions prior to 1.4.7
    • 1.5.x versions prior to 1.5.4
  • Pivotal Cloud Foundry Metrics versions prior to 1.6.1
  • Pivotal Isolation Segment
    • 2.3.x versions prior to 2.3.1
    • 2.4.x versions prior to 2.4.5
    • 2.5.x versions prior to 2.5.4
  • RabbitMQ for PCF
    • 1.15.x versions prior to 1.15.11
    • 1.16.x versions prior to 1.16.4
  • Redis for PCF
    • 2.0.x versions prior to 2.0.4
    • 2.1.x versions prior to 2.1.3
  • Scheduler for PCF versions prior to 1.2.27
  • Single Sign-On for PCF
    • 1.7.x versions prior to 1.7.5
    • 1.8.x versions prior to 1.8.4
    • 1.9.x versions prior to 1.9.1
  • Spring Cloud Services for PCF versions prior to 2.0.10
Affected Partner Products and Versions

Severity is high unless otherwise noted.

  • a9s Elasticsearch for PCF versions prior to 2.1.2
  • a9s LogMe for PCF versions prior to 2.1.2
  • a9s MongoDB for PCF versions prior to 2.1.2
  • a9s MySQL versions prior to 2.1.2
  • a9s PostgreSQL versions prior to 2.1.2
  • a9s RabbitMQ for PCF versions prior to 2.1.2
  • a9s Redis for PCF versions prior to 2.1.2
  • Apigee Edge Service Broker for PCF versions prior to 3.1.3
  • AppDynamics Application Analytics for PCF versions prior to 4.7.652
  • AppDynamics Application Performance Monitoring for PCF versions prior to 4.6.64
  • AppDynamics Platform Monitoring for PCF versions prior to 4.7.217
  • Blue Medora Nozzle for PCF versions prior to 3.1.1
  • Contrast Security Service Broker for PCF versions prior to 2.2.0
  • CyberArk Conjur Service Broker for PCF versions prior to 1.1.1
  • DataStax Enterprise Service Broker for PCF versions prior to 1.0.2
  • Datadog Application Monitoring for PCF versions prior to 1.7.0
  • Dynatrace Service Broker for PCF versions prior to 1.4.2
  • ForgeRock Service Broker for PCF versions prior to 2.1.2
  • GCP Service Broker for PCF versions prior to 4.2.3
  • IBM WebSphere Liberty for PCF versions prior to 3.11.0
  • Microsoft Azure Log Analytics Nozzle for PCF versions prior to 1.4.1
  • Microsoft Azure Service Broker for PCF versions prior to 1.4.1
  • New Relic Dotnet Extension Buildpack for PCF versions prior to 1.1.1
  • New Relic Nozzle for PCF versions prior to 1.1.17
  • New Relic Service Broker for PCF versions prior to 1.12.64
  • PagerDuty Service Broker for PCF versions prior to 1.2.4
  • Riverbed SteelCentral AppInternals for PCF versions prior to 10.21.1.-BL516
  • SMB Volume Service for PCF versions prior to 1.1.1
  • Signal Sciences Service Broker for PCF versions prior to 1.1.0
  • Snyk Service Broker for PCF versions prior to 1.0.3
  • Solace PubSub+ for PCF versions prior to 2.3.2
  • Splunk Nozzle for PCF versions prior to 1.1.1
  • Sumo Logic Nozzle for PCF versions prior to 1.0.1
  • Synopsys Seeker IAST Service Broker for PCF versions prior to 1.2.14
  • TIBCO BusinessWorks™ Container Edition Buildpack for PCF versions prior to 2.4.4
  • Wavefront by VMware Nozzle for PCF versions prior to 1.0.2
  • YugaByte DB Enterprise for PCF versions prior to 1.1.8
Mitigation

Users of affected versions should apply the following mitigation:

  • Pivotal releases that have fixed this issue include:
    • CF Autoscaling Release v219
    • CredHub Service Broker for PCF 1.3.2
    • Metric Registrar CLI 1.2.0
    • MySQL for PCF
      • 2.5.7
      • 2.6.3
    • ODB release 0.29.0
    • PCF Service Broker for AWS 1.4.13
    • Pivotal Application Service (PAS)
      • 2.3.15
      • 2.4.10
      • 2.5.6
    • Pivotal Cloud Cache 1.8.1
    • Pivotal Cloud Foundry App Autoscaler 2.0.199
    • Pivotal Cloud Foundry Event Alerts 1.2.8
    • Pivotal Cloud Foundry Healthwatch
      • 1.4.7
      • 1.5.4
    • Pivotal Cloud Foundry Metrics
      • 1.6.1
    • Pivotal Isolation Segment
      • 2.3.1
      • 2.4.5
      • 2.5.4
    • RabbitMQ for PCF
      • 1.15.11
      • 1.16.4
    • Redis for PCF
      • 2.0.4
      • 2.1.3
    • Scheduler for PCF
      • 1.2.27
    • Single Sign-On for PCF 1.7.5, 1.8.4, 1.9.1
    • Spring Cloud Services for PCF 2.0.10
  • Partner releases that have fixed this issue include:
    • a9s Elasticsearch for PCF 2.1.2
    • a9s LogMe for PCF 2.1.2
    • a9s MongoDB for PCF 2.1.2
    • a9s MySQL 2.1.2
    • a9s PostgreSQL 2.1.2
    • a9s RabbitMQ for PCF 2.1.2
    • a9s Redis for PCF 2.1.2
    • Aerospike EE Managed Service Removed from Pivnet
    • Aerospike Service Broker for PCF Removed from Pivnet
    • Apigee Edge Service Broker for PCF 3.1.3
    • AppDynamics Application Analytics for PCF 4.7.652
    • AppDynamics Application Performance Monitoring for PCF 4.6.64
    • AppDynamics Platform Monitoring for PCF 4.7.217
    • Blue Medora Nozzle for PCF 3.1.1
    • Contrast Security Service Broker for PCF 2.2.0
    • CyberArk Conjur Service Broker for PCF 1.1.1
    • DataStax Enterprise Service Broker for PCF 1.0.2
    • Datadog Application Monitoring for PCF 1.7.0
    • Dynatrace Service Broker for PCF 1.4.2
    • ForgeRock Service Broker for PCF 2.1.2
    • GCP Service Broker for PCF 4.2.3
    • IBM WebSphere Liberty for PCF 3.11.0
    • Microsoft Azure Log Analytics Nozzle for PCF 1.4.1
    • Microsoft Azure Service Broker for PCF 1.4.1
    • New Relic Dotnet Extension Buildpack for PCF 1.1.1
    • New Relic Nozzle for PCF 1.1.17
    • New Relic Service Broker for PCF 1.12.64
    • PagerDuty Service Broker for PCF 1.2.4
    • Riverbed SteelCentral AppInternals for PCF 10.21.1.-BL516
    • SMB Volume Service for PCF 1.1.1
    • Signal Sciences Service Broker for PCF 1.1.0
    • Snyk Service Broker for PCF 1.0.3
    • Solace PubSub+ for PCF 2.3.2
    • Splunk Nozzle for PCF 1.1.1
    • Sumo Logic Nozzle for PCF 1.0.1
    • Synopsys Seeker IAST Service Broker for PCF 1.2.14
    • TIBCO BusinessWorks™ Container Edition Buildpack for PCF 2.4.4
    • Wavefront by VMware Nozzle for PCF 1.0.2
    • YugaByte DB Enterprise for PCF 1.1.8
References
History

2019-07-18: Initial vulnerability report published.

2019-08-26: Updated product version for Partner product AppDynamics Platform Monitoring for PCF

2019-09-19: Additional affected products and mitigation added

Contact us