Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2433.2 VMSA-2019-0010 - VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478) 25 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: AppDefense Container Service Extension Enterprise PKS Horizon Horizon DaaS Hybrid Cloud Extension Identity Manager Integrated OpenStack NSX for vSphere NSX-T Data Center Pulse Console SD-WAN Edge by VeloCloud SD-WAN Gateway by VeloCloud SD-WAN Orchestrator by VeloCloud Skyline Collector Unified Access Gateway vCenter Server Appliance vCloud Availability Appliance vCloud Director For Service Providers vCloud Usage Meter vRealize Automation vRealize Business for Cloud vRealize Code Stream vRealize Log Insight vRealize Network Insight vRealize Operations Manager vRealize Orchestrator Appliance vRealize Suite Lifecycle Manager vSphere Data Protection vSphere Integrated Containers vSphere Replication Publisher: VMware Operating System: Virtualisation VMware ESX Server Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11478 CVE-2019-11477 Reference: ASB-2019.0174 ASB-2019.0172 ESB-2019.2293 ESB-2019.2292 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2019-0010.html Revision History: July 25 2019: Updated security advisory with remediation information for the vCenter 6.7 and AppDefense 2.x release lines and removed Horizon from affected products as it was incorrectly listed. July 3 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories +---------+-------------------------------------------------------------------+ |Advisory |VMSA-2019-0010.1 | |ID | | +---------+-------------------------------------------------------------------+ |Advisory |Important | |Severity | | +---------+-------------------------------------------------------------------+ |CVSSv3 |5.3 - 7.5 | |Range | | +---------+-------------------------------------------------------------------+ |Synopsis |VMware product updates address Linux kernel vulnerabilities in TCP | | |Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478) | +---------+-------------------------------------------------------------------+ |Issue |2019-07-02 | |Date | | +---------+-------------------------------------------------------------------+ |Updated |2019-07-24 | |On | | +---------+-------------------------------------------------------------------+ |CVE(s) |CVE-2019-11477, and CVE-2019-11478 | +---------+-------------------------------------------------------------------+ Security o Security Advisories Sign up for Security Advisories Enter your email address: [ ] [Subscribe] 1. Impacted Products o AppDefense o Container Service Extension o Enterprise PKS o Horizon DaaS o Hybrid Cloud Extension o Identity Manager o Integrated OpenStack o NSX for vSphere o NSX-T Data Center o Pulse Console o SD-WAN Edge by VeloCloud o SD-WAN Gateway by VeloCloud o SD-WAN Orchestrator by VeloCloud o Skyline Collector o Unified Access Gateway o vCenter Server Appliance o vCloud Availability Appliance o vCloud Director For Service Providers o vCloud Usage Meter o vRealize Automation o vRealize Business for Cloud o vRealize Code Stream o vRealize Log Insight o vRealize Network Insight o vRealize Operations Manager o vRealize Orchestrator Appliance o vRealize Suite Lifecycle Manager o vSphere Data Protection o vSphere Integrated Containers o vSphere Replication 2. Introduction Several vulnerabilities in the Linux kernel implementation of TCP Selective Acknowledgement (SACK) have been disclosed. These issues may allow a malicious entity to execute a Denial of Service attack against affected products. 3. Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) CVE-2019-11477, CVE-2019-11478 Description: There are two uniquely identifiable vulnerabilities associated with the Linux kernel implementation of SACK: o CVE-2019-11477 - SACK Panic - A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5. o CVE-2019-11478 - SACK Excess Resource Usage - a crafted sequence of SACKs will fragment the TCP retransmission queue, causing resource exhaustion. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors: A malicious actor must have network access to an affected system including the ability to send traffic with low MSS values to the target. Successful exploitation of these issues may cause the target system to crash or significantly degrade performance. Resolution: To remediate CVE-2019-11477 and CVE-2019-11478 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: Some VMware Virtual Appliances can workaround CVE-2019-11477 and CVE-2019-11478 by either disabling SACK or by modifying the built in firewall (if available) in the base OS of the product to drop incoming connections with a low MSS value. In-product workarounds (if available) have been enumerated in the 'Workarounds' column of the 'Resolution Matrix' found below. Additional Documentations: None. Acknowledgements: None. Response Matrix: +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Product |Version|Running |CVE Identifier |CVSSV3|Severity |Fixed |Workarounds|Additional| | | |On | | | |Version| |Documents | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |AppDefense |2.x.x |Virtual |CVE-2019-11477,|7.5 |Important|2.2.1 |None |None | | | |Appliance|CVE-2019-11478 | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Container | |Virtual |CVE-2019-11477,| | |Patch | | | |Service |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Extension | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Enterprise |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |PKS | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Horizon DaaS|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | | | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Hybrid Cloud|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Extension | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Identity |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Manager | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Integrated |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |OpenStack | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |NSX for |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |vSphere | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |NSX-T Data |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Center | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Pulse |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Console | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |SD-WAN Edge |x.x |Any |CVE-2019-11477,|7.5 |Important|3.3.0 |None |None | |by VeloCloud| | |CVE-2019-11478 | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |SD-WAN | | |CVE-2019-11477,| | | | | | |Gateway by |x.x |Any |CVE-2019-11478 |7.5 |Important|3.3.0 |None |None | |VeloCloud | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |SD-WAN | | |CVE-2019-11477,| | | | | | |Orchestrator|x.x |Any |CVE-2019-11478 |7.5 |Important|3.3.0 |None |None | |by VeloCloud| | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Skyline |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Collector | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |Unified | |Virtual |CVE-2019-11477,| | | | | | |Access |x.x |Appliance|CVE-2019-11478 |7.5 |Important|3.6 | KB70899 |None | |Gateway | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vCenter | |Virtual |CVE-2019-11477,| | | | | | |Server |6.7 |Appliance|CVE-2019-11478 |7.5 |Important|6.7u2c |None |None | |Appliance | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vCenter | |Virtual |CVE-2019-11477,| | | | | | |Server |6.5 |Appliance|CVE-2019-11478 |7.5 |Important|6.5u3 |None |None | |Appliance | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vCenter | |Virtual |CVE-2019-11477,| | |Patch | | | |Server |6.0 |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Appliance | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vCloud | |Virtual |CVE-2019-11477,| | |Patch | | | |Availability|x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Appliance | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vCloud | | | | | | | | | |Director For|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |KB70900 |None | |Service | |Appliance|CVE-2019-11478 | | |Pending| | | |Providers | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vCloud Usage|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Meter | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Automation | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize | |Virtual |CVE-2019-11477,| | |Patch | | | |Business for|x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Cloud | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Code Stream | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize Log|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Insight | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize | |Virtual |CVE-2019-11477,| | |Patch | | | |Network |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Insight | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize | |Virtual |CVE-2019-11477,| | |Patch | | | |Operations |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Manager | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize | |Virtual |CVE-2019-11477,| | |Patch | | | |Orchestrator|x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Appliance | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vRealize | | | | | | | | | |Suite |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Lifecycle | |Appliance|CVE-2019-11478 | | |Pending| | | |Manager | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vSphere Data|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Protection | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vSphere | |Virtual |CVE-2019-11477,| | |Patch | | | |Integrated |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None | |Containers | | | | | | | | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ |vSphere |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None | |Replication | |Appliance|CVE-2019-11478 | | |Pending| | | +------------+-------+---------+---------------+------+---------+-------+-----------+----------+ 4. References Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478 Fixed Version(s) and Release Notes: AppDefense 2.2.1 Downloads: https://my.vmware.com/web/vmware/details?downloadGroup=APPDEFENSE-221&productId =742&rPId=35078 Documentation: https://docs.vmware.com/en/VMware-AppDefense/221/rn/ appdefense-plugin-221-release-notes.html Unified Access Gateway 3.6 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=UAG-36&productId=897& rPId=34577 vCenter Server Appliance 6.7u2c Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VC67U2C&productId=742& rPId=34693 vCenter Server Appliance 6.5u3 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VC65U3&productId=614& rPId=34639 SD-WAN Edge by VeloCloud 3.3.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-EDGE-330& productId=899&rPId=34579 SD-WAN Gateway by VeloCloud 3.3.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-VCG-330&productId =899&rPId=34582 SD-WAN Orchestrator by VeloCloud 3.3.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-ORC-330-2& productId=899&rPId=34580 Workarounds: https://kb.vmware.com/s/article/70900 https://kb.vmware.com/s/article/70899 5. Change log 2019-07-02: VMSA-2019-0010 Initial security advisory detailing remediations and/or workarounds for SD-WAN, Unified Access Gateway, vCenter Server Appliance, and vCloud Director For Service Providers. 2019-07-24: VMSA-2019-0010.1 Updated security advisory with remediation information for the vCenter 6.7 and AppDefense 2.x release lines and removed Horizon from affected products as it was incorrectly listed. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXTk7y2aOgq3Tt24GAQjukQ//WdN9Ji901R1tvsyrSnuT04fV1EAYSKbl wq8IH38HClWQUAT1dgKABeGHY7HQPUrgxEWx6fEWis+7nFdVU54OLMUvaIn4cBbg fNUOXlwIoerThP3pysuLZQMQSTOwCytM8Ydv19lQl3DdCG/TQ/qOmdG9CxaUbvhY sW/Cg3zkPyR7MJTYnYtWmCJ4zLo81aFkc1Z7ZI1OL4eDH1p9z02jOXA9sh7Bd7o7 CvoBzMY+Iy4gly95Fn5KmolYlJxNH2lU6u9/inMzf2OeNJ3GUOna1CHThHjkZxWB NO7y4I/4EglgmwxyUIp9NGRGCWzDVtYc9aOUWQaJnmwBp/XsXnsmf7ftixEaMfhR Js9tu071bBnEvOv5oyLvslRecUzgxYbYkXXfiavIbMxcwEWFIaQVQ8yNsfafE+uq 5wFW6eYJfCKVhbn8vEn7lCejNoUR05hoI7fZ+8STW+yfNA1se+qY9EdEKCcfSA4E J2CtQ0GGr0jy02R+BTex6EYSg10C1H9fklRTvmXU063iO4jNQR4fCBlcZ+gqU8wZ eUwTxUlks6FH/DGhOL7Mds5ecjhGHIgkCL9tD9yY0JJbiV/Cxkm1f8EqsB4QBq+t 1qqmH45SPKb6LN0yRXVOESb7zs58es4AOwS206QC0sd3dOe1+tGUbKQ/Kpdv1WO4 d2GYu1WSYlo= =rFPo -----END PGP SIGNATURE-----