All Vulnerability Reports

CVE-2020-5400: Cloud Controller logs environment variables from app manifests

Severity

High

Vendor

Pivotal

Description

VMware Tanzu Application Service for VMs, 2.6.x versions prior to 2.6.16, 2.7.x versions prior to 2.7.10, and 2.8.x versions prior to 2.8.4, contain a vulnerable version of Cloud Controller (CAPI), which logs properties of background jobs when they are run, which may include sensitive information such as credentials if provided to the job. A malicious user with access to those logs may gain unauthorized access to resources protected by such credentials.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

• VMware Tanzu Application Service for VMs
  • 2.6.x versions prior to 2.6.16
  • 2.7.x versions prior to 2.7.10
  • 2.8.x versions prior to 2.8.4

Mitigation

Relevant log lines include the text "about to run job". Operators should inform developers to rotate any credentials that are found there. Examples include service credentials provided to service broker jobs and environment variables provided to apps deployed using server-side manifests (such as by cf v3-apply-manifest or cf7 push). Users of affected versions should apply the following mitigation or upgrade:

• VMware Tanzu Application Service for VMs
  • 2.6.16
  • 2.7.10
  • 2.8.4

Credit

Miki Mokrysz of the GOV.UK PaaS team

References

• https://www.cloudfoundry.org/blog/cve-2020-5400
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-5400

History

2020-04-06: Initial vulnerability report published.