All Vulnerability Reports

CVE-2020-5422: UAA password may appear in Operations Manager process arguments


Severity

High

Vendor

VMware Tanzu

Description

Operations Manager, all versions prior to 2.7.22, 2.8.x versions prior to 2.8.12, 2.9.x versions prior to 2.9.9, and 2.10.x versions prior to 2.10.1, contained a version of BOSH System Metrics Server that exposed the UAA password as a flag to a process running on the BOSH director. It exposed the password to any user or process with access to the same VM (through ps or looking at process details).

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Operations Manager
    • All versions prior to 2.7.22
    • 2.8 versions prior to 2.8.12
    • 2.9 versions prior to 2.9.9
    • 2.10 versions prior to 2.10.1

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Operations Manager
    • 2.7.22
    • 2.8.12
    • 2.9.9
    • 2.10.1

References

History

2020-10-01: Initial vulnerability report published.