CVE-2019-3781: CF CLI does not sanitize user's password in verbose/trace/debug
Severity
High
Vendor
Pivotal Cloud Foundry
Description
Cloud Foundry CLI, versions prior to v6.43.0, CLI Release versions prior to v1.13.0, improperly exposes passwords when verbose/trace/debugging is turned on. A local unauthenticated or remote authenticated malicious user with access to logs may gain part or all of a users password. Various Pivotal and Partner products that consume the CF CLI are affected.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- CF Autoscaling Release versions prior to v219
- CredHub Service Broker for PCF versions prior to 1.3.2
- Metric Registrar CLI versions prior to 1.2.0
- MySQL for PCF
- 2.5.x versions prior to 2.5.7
- 2.6.x versions prior to 2.6.3
- ODB release versions prior to 0.29.0
- PCF Service Broker for AWS versions prior to 1.4.13
- Pivotal Application Service (PAS)
- 2.3.x versions prior to 2.3.15
- 2.4.x versions prior to 2.4.10
- 2.5.x versions prior to 2.5.6
- Pivotal Cloud Cache versions prior to 1.8.1
- Pivotal Cloud Foundry App Autoscaler versions prior to 2.0.199
- Pivotal Cloud Foundry Event Alerts versions prior to 1.2.8
- Pivotal Cloud Foundry Healthwatch
- 1.4.x versions prior to 1.4.7
- 1.5.x versions prior to 1.5.4
- Pivotal Cloud Foundry Metrics versions prior to 1.6.1
- Pivotal Isolation Segment
- 2.3.x versions prior to 2.3.1
- 2.4.x versions prior to 2.4.5
- 2.5.x versions prior to 2.5.4
- RabbitMQ for PCF
- 1.15.x versions prior to 1.15.11
- 1.16.x versions prior to 1.16.4
- Redis for PCF
- 2.0.x versions prior to 2.0.4
- 2.1.x versions prior to 2.1.3
- Scheduler for PCF versions prior to 1.2.27
- Single Sign-On for PCF
- 1.7.x versions prior to 1.7.5
- 1.8.x versions prior to 1.8.4
- 1.9.x versions prior to 1.9.1
- Spring Cloud Services for PCF versions prior to 2.0.10
Affected Partner Products and Versions
Severity is high unless otherwise noted.
- a9s Elasticsearch for PCF versions prior to 2.1.2
- a9s LogMe for PCF versions prior to 2.1.2
- a9s MongoDB for PCF versions prior to 2.1.2
- a9s MySQL versions prior to 2.1.2
- a9s PostgreSQL versions prior to 2.1.2
- a9s RabbitMQ for PCF versions prior to 2.1.2
- a9s Redis for PCF versions prior to 2.1.2
- Apigee Edge Service Broker for PCF versions prior to 3.1.3
- AppDynamics Application Analytics for PCF versions prior to 4.7.652
- AppDynamics Application Performance Monitoring for PCF versions prior to 4.6.64
- AppDynamics Platform Monitoring for PCF versions prior to 4.7.217
- Blue Medora Nozzle for PCF versions prior to 3.1.1
- Contrast Security Service Broker for PCF versions prior to 2.2.0
- CyberArk Conjur Service Broker for PCF versions prior to 1.1.1
- DataStax Enterprise Service Broker for PCF versions prior to 1.0.2
- Datadog Application Monitoring for PCF versions prior to 1.7.0
- Dynatrace Service Broker for PCF versions prior to 1.4.2
- ForgeRock Service Broker for PCF versions prior to 2.1.2
- GCP Service Broker for PCF versions prior to 4.2.3
- IBM WebSphere Liberty for PCF versions prior to 3.11.0
- Microsoft Azure Log Analytics Nozzle for PCF versions prior to 1.4.1
- Microsoft Azure Service Broker for PCF versions prior to 1.4.1
- New Relic Dotnet Extension Buildpack for PCF versions prior to 1.1.1
- New Relic Nozzle for PCF versions prior to 1.1.17
- New Relic Service Broker for PCF versions prior to 1.12.64
- PagerDuty Service Broker for PCF versions prior to 1.2.4
- Riverbed SteelCentral AppInternals for PCF versions prior to 10.21.1.-BL516
- SMB Volume Service for PCF versions prior to 1.1.1
- Signal Sciences Service Broker for PCF versions prior to 1.1.0
- Snyk Service Broker for PCF versions prior to 1.0.3
- Solace PubSub+ for PCF versions prior to 2.3.2
- Splunk Nozzle for PCF versions prior to 1.1.1
- Sumo Logic Nozzle for PCF versions prior to 1.0.1
- Synopsys Seeker IAST Service Broker for PCF versions prior to 1.2.14
- TIBCO BusinessWorks™ Container Edition Buildpack for PCF versions prior to 2.4.4
- Wavefront by VMware Nozzle for PCF versions prior to 1.0.2
- YugaByte DB Enterprise for PCF versions prior to 1.1.8
Mitigation
Users of affected versions should apply the following mitigation:
- Pivotal releases that have fixed this issue include:
- CF Autoscaling Release v219
- CredHub Service Broker for PCF 1.3.2
- Metric Registrar CLI 1.2.0
- MySQL for PCF
- 2.5.7
- 2.6.3
- ODB release 0.29.0
- PCF Service Broker for AWS 1.4.13
- Pivotal Application Service (PAS)
- 2.3.15
- 2.4.10
- 2.5.6
- Pivotal Cloud Cache 1.8.1
- Pivotal Cloud Foundry App Autoscaler 2.0.199
- Pivotal Cloud Foundry Event Alerts 1.2.8
- Pivotal Cloud Foundry Healthwatch
- 1.4.7
- 1.5.4
- Pivotal Cloud Foundry Metrics
- 1.6.1
- Pivotal Isolation Segment
- 2.3.1
- 2.4.5
- 2.5.4
- RabbitMQ for PCF
- 1.15.11
- 1.16.4
- Redis for PCF
- 2.0.4
- 2.1.3
- Scheduler for PCF
- 1.2.27
- Single Sign-On for PCF 1.7.5, 1.8.4, 1.9.1
- Spring Cloud Services for PCF 2.0.10
- a9s Elasticsearch for PCF 2.1.2
- a9s LogMe for PCF 2.1.2
- a9s MongoDB for PCF 2.1.2
- a9s MySQL 2.1.2
- a9s PostgreSQL 2.1.2
- a9s RabbitMQ for PCF 2.1.2
- a9s Redis for PCF 2.1.2
- Aerospike EE Managed Service Removed from Pivnet
- Aerospike Service Broker for PCF Removed from Pivnet
- Apigee Edge Service Broker for PCF 3.1.3
- AppDynamics Application Analytics for PCF 4.7.652
- AppDynamics Application Performance Monitoring for PCF 4.6.64
- AppDynamics Platform Monitoring for PCF 4.7.217
- Blue Medora Nozzle for PCF 3.1.1
- Contrast Security Service Broker for PCF 2.2.0
- CyberArk Conjur Service Broker for PCF 1.1.1
- DataStax Enterprise Service Broker for PCF 1.0.2
- Datadog Application Monitoring for PCF 1.7.0
- Dynatrace Service Broker for PCF 1.4.2
- ForgeRock Service Broker for PCF 2.1.2
- GCP Service Broker for PCF 4.2.3
- IBM WebSphere Liberty for PCF 3.11.0
- Microsoft Azure Log Analytics Nozzle for PCF 1.4.1
- Microsoft Azure Service Broker for PCF 1.4.1
- New Relic Dotnet Extension Buildpack for PCF 1.1.1
- New Relic Nozzle for PCF 1.1.17
- New Relic Service Broker for PCF 1.12.64
- PagerDuty Service Broker for PCF 1.2.4
- Riverbed SteelCentral AppInternals for PCF 10.21.1.-BL516
- SMB Volume Service for PCF 1.1.1
- Signal Sciences Service Broker for PCF 1.1.0
- Snyk Service Broker for PCF 1.0.3
- Solace PubSub+ for PCF 2.3.2
- Splunk Nozzle for PCF 1.1.1
- Sumo Logic Nozzle for PCF 1.0.1
- Synopsys Seeker IAST Service Broker for PCF 1.2.14
- TIBCO BusinessWorks™ Container Edition Buildpack for PCF 2.4.4
- Wavefront by VMware Nozzle for PCF 1.0.2
- YugaByte DB Enterprise for PCF 1.1.8
References
- https://www.cloudfoundry.org/blog/CVE-2019-3800/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3781
History
2019-07-18: Initial vulnerability report published.
2019-08-26: Updated product version for Partner product AppDynamics Platform Monitoring for PCF
2019-09-19: Additional affected products and mitigation added