CVE-2018-15759: On Demand Services SDK Timing Attack Vulnerability
Severity
Critical
Vendor
Pivotal Cloud Foundry
Description
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24, and Pivotal Cloud Foundry Broker API, prior to version 3.0.2, contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with a series of different credentials, allowing them to infer valid credentials and gain access to perform broker operations.
Affected VMware Products and Versions
Severity is critical unless otherwise noted.
- On Demand Services SDK
- All versions prior to 0.24.0
- Broker API
- All versions prior to 3.0.2
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- On Demand Services SDK: 0.24.0
- Broker API: 3.0.2
Dependent Products
The following products contain a dependency on an impacted component and should be updated as listed below:
-
Releases that have fixed this issue include:
- CredHub Service Broker: 1.2.0
- Metrics Forwarder: 1.11.4
- MySQL for PCF: 2.4.2, 2.3.3, 2.2.7
- Pivotal Cloud Cache: 1.5.1, 1.4.1, 1.3.4
- Pivotal Cloud Foundry Service Broker for AWS: 1.4.10
- Pivotal Container Service: 1.2.3
- RabbitMQ for PCF: 1.14.4, 1.13.11, 1.12.13
- Redis for PCF: 1.14.4, 1.13.7, 1.12.8
Credit
This vulnerability was responsibly reported by GE Digital Security Team
History
2018-11-15: Initial vulnerability report published
2018-11-20: Updated to include Broker API impact
2018-12-04: Updated to include dependent product impacts