CVE-2018-11081: Ops Manager writes UAA credentials to disk
Severity
High
Vendor
Pivotal
Description
Ops Manager, versions 2.2.x versions prior to 2.2.1, 2.1.x versions prior to 2.1.11, 2.0.x versions prior to 2.0.16, fails to write the UAA config onto the temp ram disk, thus exposing the configs directly onto disk. A remote user that has gained access to the Ops manager VM can now file search and find the Ops Manager UAA credentials on the system disk.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Ops Manager
- 2.2 versions prior to 2.2.1
- 2.1 versions prior to 2.1.11
- 2.0 versions prior to 2.0.16
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Ops Manager: 2.2.1, 2.1.11, 2.0.16
Credit
This vulnerability was responsibly reported by Pivotal.
History
2018-09-27: Initial vulnerability report published