All Vulnerability Reports

CVE-2019-11288: tc Server JMX Socket Listener Registry Rebinding Local Privilege Escalation






When a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal tc Server
    • 3.2.0 - 3.2.18
    • 4.0.0 - 4.0.9
  • Pivotal tc Runtime
    • 7.0.70.B.RELEASE - 7.0.96.A.RELEASE
    • 8.5.4.B.RELEASE - 8.5.43.B.RELEASE
    • 9.0.6.B.RELEASE - 9.0.22.B.RELEASE


Disable tc Runtime's JmxSocketListener and use the built-in remote JMX facilities provided by the JVM or upgrade to the following versions:

  • Pivotal tc Server
    • 3.2.19
    • 4.0.10+
  • Pivotal tc Runtime
    • 7.0.99.B.RELEASE
    • 8.5.47.A.RELEASE
    • 9.0.27.A.RELEASE+


This issue was identified and responsibly reported by An Trinh.