Severity

Critical

Vendor

Pivotal

Description

Certain versions of Pivotal Application Service (PAS), Pivotal Container Service (PKS), and Pivotal Ops Manager consume versions of UAA having a dependency on a vulnerable version of FasterXML jackson-databind. These issues have been assigned identifiers: CVE-2019-17531, CVE-2019-14379, CVE-2019-16942, CVE-2019-14540, CVE-2019-17267, CVE-2019-16335, and CVE-2019-16943.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

Older versions may also be affected.

• Pivotal Application Service (PAS)
  • 2.5 versions prior to 2.5.14
  • 2.6 versions prior to 2.6.9
  • 2.7 versions prior to 2.7.3
• Pivotal Container Service (PKS)
  • 1.5 versions prior to 1.5.2
  • 1.6 versions prior to 1.6.1
• Pivotal Ops Manager
  • 2.5 versions prior to 2.5.21
  • 2.6 versions prior to 2.6.13
  • 2.7 versions prior to 2.7.2

Mitigation

• Pivotal Application Service (PAS)
  • 2.5.14
  • 2.6.9
  • 2.7.3
• Pivotal Container Service (PKS)
  • 1.5.2
  • 1.6.1
• Pivotal Ops Manager
  • 2.5.21
  • 2.6.13
  • 2.7.2

References

• https://www.cloudfoundry.org/blog/various-jackson-cves-uaa/

History

2020-03-04: Initial vulnerability report published.