CVE-2018-11081: Ops Manager writes UAA credentials to disk
Ops Manager, versions 2.2.x versions prior to 2.2.1, 2.1.x versions prior to 2.1.11, 2.0.x versions prior to 2.0.16, fails to write the UAA config onto the temp ram disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Ops manager VM can now file search and find the Ops Manager UAA credentials on the system disk.
Severity is high unless otherwise noted.
- Ops Manager
- 2.2 versions prior to 2.2.1
- 2.1 versions prior to 2.1.11
- 2.0 versions prior to 2.0.16
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Ops Manager: 2.2.1, 2.1.11, 2.0.16
This vulnerability was responsibly reported by Pivotal.
2018-09-27: Initial vulnerability report published