CVE-2019-11288

Name of the Vulnerable Software and Affected Versions Pivotal tc Server versions 3.x prior to 3.2.19 Pivotal tc Server versions 4.x prior to 4.0.10 Pivotal tc Runtimes versions 7.x prior to 7.0.99.B Pivotal tc Runtimes versions 8.x prior to 8.5.47.A Pivotal tc Runtimes versions 9.x prior to 9.0.27.A

Description A local attacker without access to the tc Runtime process or configuration files can manipulate the RMI registry to perform a man-in-the-middle attack. This allows the attacker to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the tc Runtime instance. This issue occurs when a tc Runtime instance is configured with the JMX Socket Listener.

Recommendations For Pivotal tc Server versions 3.x prior to 3.2.19, update to version 3.2.19 or later. For Pivotal tc Server versions 4.x prior to 4.0.10, update to version 4.0.10 or later. For Pivotal tc Runtimes versions 7.x prior to 7.0.99.B, update to version 7.0.99.B or later. For Pivotal tc Runtimes versions 8.x prior to 8.5.47.A, update to version 8.5.47.A or later. For Pivotal tc Runtimes versions 9.x prior to 9.0.27.A, update to version 9.0.27.A or later. As a temporary workaround, consider disabling the JMX Socket Listener until a patch is available. Restrict access to the JMX interface to minimize the risk of exploitation.