All Vulnerability Reports

CVE-2018-15759: On Demand Services SDK Timing Attack Vulnerability




Pivotal Cloud Foundry


Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24, and Pivotal Cloud Foundry Broker API, prior to version 3.0.2, contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with a series of different credentials, allowing them to infer valid credentials and gain access to perform broker operations.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • On Demand Services SDK
    • All versions prior to 0.24.0
  • Broker API
    • All versions prior to 3.0.2


Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • On Demand Services SDK: 0.24.0
    • Broker API: 3.0.2

Dependent Products

The following products contain a dependency on an impacted component and should be updated as listed below:

  • Releases that have fixed this issue include:
    • CredHub Service Broker: 1.2.0
    • Metrics Forwarder: 1.11.4
    • MySQL for PCF: 2.4.2, 2.3.3, 2.2.7
    • Pivotal Cloud Cache: 1.5.1, 1.4.1, 1.3.4
    • Pivotal Cloud Foundry Service Broker for AWS: 1.4.10
    • Pivotal Container Service: 1.2.3
    • RabbitMQ for PCF: 1.14.4, 1.13.11, 1.12.13
    • Redis for PCF: 1.14.4, 1.13.7, 1.12.8


This vulnerability was responsibly reported by GE Digital Security Team


2018-11-15: Initial vulnerability report published

2018-11-20: Updated to include Broker API impact

2018-12-04: Updated to include dependent product impacts