First published: Fri Oct 05 2018(Updated: )
Cloud Foundry Log Cache, versions prior to 1.1.1, logs its UAA client secret on startup as part of its envstruct report. A remote attacker who has gained access to the Log Cache VM can read this secret, gaining all privileges held by the Log Cache UAA client. In the worst case, if this client is an admin, the attacker would gain complete control over the Foundation.
Credit: security_alert@emc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pivotal Software Cloud Foundry Log Cache | <1.1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-1264 is a vulnerability in Cloud Foundry Log Cache versions prior to 1.1.1 that exposes the UAA client secret.
CVE-2018-1264 has a severity rating of critical with a score of 9.8.
CVE-2018-1264 allows a remote attacker who has gained access to the Log Cache VM to read the UAA client secret, gaining all privileges held by the Log Cache UAA client.
Versions of Cloud Foundry Log Cache prior to 1.1.1 are affected by CVE-2018-1264.
To fix CVE-2018-1264, upgrade to Cloud Foundry Log Cache version 1.1.1 or later.