Support Content Notification - Support Portal

CVE-2019-11288: tc Server JMX Socket Listener Registry Rebinding Local Privilege Escalation

Product/Component

Notification Id

23845

Last Updated

15 January 2020

Initial Publication Date

15 January 2020

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2019-11288

Severity

Medium

Vendor

Pivotal

Description

When a tc Runtime instance is configured with the JMX Socket Listener, a local attacker without access to the tc Runtime process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

Pivotal tc Server
- 3.2.0 - 3.2.18
- 4.0.0 - 4.0.9
Pivotal tc Runtime
- 7.0.70.B.RELEASE - 7.0.96.A.RELEASE
- 8.5.4.B.RELEASE - 8.5.43.B.RELEASE
- 9.0.6.B.RELEASE - 9.0.22.B.RELEASE

Mitigation

Disable tc Runtime's JmxSocketListener and use the built-in remote JMX facilities provided by the JVM or upgrade to the following versions:

Pivotal tc Server
- 3.2.19
- 4.0.10+
Pivotal tc Runtime
- 7.0.99.B.RELEASE
- 8.5.47.A.RELEASE
- 9.0.27.A.RELEASE+

Credit

This issue was identified and responsibly reported by An Trinh.