All Vulnerability Reports

Various CVEs: UAA consumes vulnerable versions of FasterXML jackson-databind


Severity

Critical

Vendor

Pivotal

Description

Certain versions of Pivotal Application Service (PAS), Pivotal Container Service (PKS), and Pivotal Ops Manager consume versions of UAA having a dependency on a vulnerable version of FasterXML jackson-databind. These issues have been assigned identifiers: CVE-2019-17531, CVE-2019-14379, CVE-2019-16942, CVE-2019-14540, CVE-2019-17267, CVE-2019-16335, and CVE-2019-16943.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

Older versions may also be affected.

  • Pivotal Application Service (PAS)
    • 2.5 versions prior to 2.5.14
    • 2.6 versions prior to 2.6.9
    • 2.7 versions prior to 2.7.3
  • Pivotal Container Service (PKS)
    • 1.5 versions prior to 1.5.2
    • 1.6 versions prior to 1.6.1
  • Pivotal Ops Manager
    • 2.5 versions prior to 2.5.21
    • 2.6 versions prior to 2.6.13
    • 2.7 versions prior to 2.7.2

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Application Service (PAS)
    • 2.5.14
    • 2.6.9
    • 2.7.3
  • Pivotal Container Service (PKS)
    • 1.5.2
    • 1.6.1
  • Pivotal Ops Manager
    • 2.5.21
    • 2.6.13
    • 2.7.2

References

History

2020-03-04: Initial vulnerability report published.