CVE-2020-5399: CredHub does not properly enable TLS for MySQL database connections
Severity
High
Vendor
Pivotal
Description
Pivotal Application Service (2.5 versions prior to 2.5.20, 2.6 versions prior to 2.6.15, 2.7 versions prior to 2.7.9, and 2.8 versions prior to 2.8.3) contains a vulnerable version of CredHub that connects to a MySQL database without TLS even when configured to use TLS. A malicious user with access to the network between CredHub and its MySQL database may eavesdrop on database connections and thereby gain unauthorized access to CredHub and other components.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
-
Pivotal Application Service (PAS)
- 2.5 versions prior to 2.5.20
- 2.6 versions prior to 2.6.15
- 2.7 versions prior to 2.7.9
- 2.8 versions prior to 2.8.3
Mitigation
Users of affected versions should apply the following mitigation or upgrade:
-
Pivotal Application Service (PAS)
- 2.5.20
- 2.6.15
- 2.7.9
- 2.8.3
Credit
Rob Greene
References
History
2020-02-12: Initial vulnerability report published.