CVE-2020-5400: Cloud Controller logs environment variables from app manifests
Severity
High
Vendor
Pivotal
Description
VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.16, 2.7.x versions prior to 2.7.10, and 2.8.x versions prior to 2.8.4, contain a vulnerable version of Cloud Controller (CAPI), which logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
-
VMware Tanzu Application Service for VMs
- 2.6.x versions prior to 2.6.16
- 2.7.x versions prior to 2.7.10
- 2.8.x versions prior to 2.8.4
Mitigation
Relevant log lines include the text "about to run job". Operators should inform developers to rotate any credentials that are found there. Examples include service credentials provided to service broker jobs and environment variables provided to apps deployed using server-side manifests (such as by cf v3-apply-manifest or cf7 push). Users of affected versions should apply the following mitigation or upgrade:
-
VMware Tanzu Application Service for VMs
- 2.6.16
- 2.7.10
- 2.8.4
Credit
Miki Mokrysz of the GOV.UK PaaS team
References
- https://www.cloudfoundry.org/blog/cve-2020-5400
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5400
History
2020-04-06: Initial vulnerability report published.