CVE-2016-0883 Pivotal Ops Manager Weak Authentication Scheme


Severity

Critical

Vendor

Pivotal

Versions Affected
  • PCF Ops Manager 1.0 - 1.4.x, 1.5.0 - 1.5.13, 1.6.0 - 1.6.8
Description

Pivotal Cloud Foundry Ops Manager web authentication uses a weak authentication scheme that can be compromised by a remote user. Session information, located in an encrypted cookie, is encrypted with a key shared between installations of Ops Manager.

Mitigation

Pivotal Ops Manager users should follow the appropriate mitigation below:

  • Upgrade to Ops Manager 1.6.9 and later versions of 1.6.x
  • Upgrade to Ops Manager 1.5.14 and later versions of 1.5.x
Credit

Andrew Cantino