Various CVEs: UAA consumes vulnerable versions of FasterXML jackson-databind
Severity
Critical
Vendor
Pivotal
Description
Certain versions of Pivotal Application Service (PAS), Pivotal Container Service (PKS), and Pivotal Ops Manager consume versions of UAA having a dependency on a vulnerable version of FasterXML jackson-databind. These issues have been assigned identifiers: CVE-2019-17531, CVE-2019-14379, CVE-2019-16942, CVE-2019-14540, CVE-2019-17267, CVE-2019-16335, and CVE-2019-16943.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
Older versions may also be affected.
-
Pivotal Application Service (PAS)
- 2.5 versions prior to 2.5.14
- 2.6 versions prior to 2.6.9
- 2.7 versions prior to 2.7.3
-
Pivotal Container Service (PKS)
- 1.5 versions prior to 1.5.2
- 1.6 versions prior to 1.6.1
-
Pivotal Ops Manager
- 2.5 versions prior to 2.5.21
- 2.6 versions prior to 2.6.13
- 2.7 versions prior to 2.7.2
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
Pivotal Application Service (PAS)
- 2.5.14
- 2.6.9
- 2.7.3
-
Pivotal Container Service (PKS)
- 1.5.2
- 1.6.1
-
Pivotal Ops Manager
- 2.5.21
- 2.6.13
- 2.7.2
References
History
2020-03-04: Initial vulnerability report published.