Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3859
VMware Cloud Foundation and VMware Harbor Container Registry for PCF
address broken access control vulnerability (CVE-2019-16919)
16 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMWare Cloud Foundation
VMWare Harbor Container Registry for PCF
Publisher: VMWare
Operating System: Virtualisation
Linux variants
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-16919
Reference: ESB-2019.3610
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2019-0016.html
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware Security Advisories
+-----------------------------------------------------------------------------+
|Advisory |VMSA-2019-0016 |
|ID | |
|----------+------------------------------------------------------------------|
|Advisory |Critical |
|Severity | |
|----------+------------------------------------------------------------------|
|CVSSv3 |9.1 |
|Range | |
|----------+------------------------------------------------------------------|
|Synopsis |VMware Cloud Foundation and VMware Harbor Container Registry for |
| |PCF address broken access control vulnerability (CVE-2019-16919) |
|----------+------------------------------------------------------------------|
|Issue Date|2019-10-15 |
|----------+------------------------------------------------------------------|
|Updated On|2019-10-15 (Initial Advisory) |
|----------+------------------------------------------------------------------|
|CVE(s) |CVE-2019-16919 |
+-----------------------------------------------------------------------------+
1. Impacted Products
* VMware Cloud Foundation
* VMware Harbor Container Registry for PCF
2. Introduction
A broken access control vulnerability in Harbor, a Cloud Native Computing
Foundation (CNCF) Open Source Project, was disclosed. Patches are available to
remediate this vulnerability in affected VMware products.
3. Broken access control vulnerability in Harbor API (CVE-2019-16919)
Description:
A Broken Access Control vulnerability in the API of Harbor may allow for
unauthorized access to push/pull/modify images in an adjacent project. VMware
has evaluated the severity of this issue to be in the Critical severity range
with a maximum CVSSv3 base score of 9.1.
Known Attack Vectors:
A malicious actor with administrative access to a project may be able to create
a robot account inside of an adjacent project via the Harbor API. Successful
exploitation of this issue may lead to unauthorized access to push/pull/modify
images in the target adjacent project.
Resolution:
To remediate CVE-2019-16919, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Notes:
None.
Acknowledgements:
None.
Response Matrix:
+--------------------------------------------------------------------------------------------+
|Product |Version|Running|CVE Identifier|CVSSV3|Severity|Fixed |Workarounds|Additional|
| | |On | | | |Version | |Documents |
|-----------+-------+-------+--------------+------+--------+----------+-----------+----------|
|VMware | | | | | |Patch | | |
|Cloud |x.x |Any |CVE-2019-16919|9.1 |Critical|Pending |None |None |
|Foundation*| | | | | | | | |
|-----------+-------+-------+--------------+------+--------+----------+-----------+----------|
|VMware | | | | | | | | |
|Harbor | | | | | | | | |
|Container |1.8.x |Any |CVE-2019-16919|9.1 |Critical|1.8.4 |None |None |
|Registry | | | | | | | | |
|for PCF | | | | | | | | |
|-----------+-------+-------+--------------+------+--------+----------+-----------+----------|
|VMware | | | | | | | | |
|Harbor | | | | | | | | |
|Container |1.7.x |Any |CVE-2019-16919|N/A |N/A |Unaffected|None |None |
|Registry | | | | | | | | |
|for PCF | | | | | | | | |
+--------------------------------------------------------------------------------------------+
*VMware Cloud Foundation is affected if the optional 'Harbor Registry'
component has been deployed.
4. References
VMware Harbor Container Registry for PCF 1.8.4
https://network.pivotal.io/products/harbor-container-registry#/releases/484772
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/
I:H/A:H
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919
5. Change log
2019-10-15: VMSA-2019-0016
Initial security advisory detailing remediations for CVE-2019-16919 in VMware
Harbor Container Registry for PCF.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXaalNWaOgq3Tt24GAQg/LBAApmUa/V6wffeghRNryMFJFiAs/aLRD9U8
4kEPF8svUfDDX6SrTjuN2W/oNcT4RN21L4Kr7f9Bok0MMYNe3Qr4K6ziMGsqWhAv
LUTMRgSLu7Kv0NvcMjixPuqoi+bfFwNoR5y4mVmn9AjnlnZwYHz24igFeFk+Utjx
LL/fYU++qxoEmd8i8hx/sJ9OdKJWm1QTsg4ppKi/de+b+5Jy1B8lIqnP+zQNTzAl
4LOhSDL2c3W9bKv5YfzuBbzWoZ5DXms/o6cyYnO/ExywHVWag7Pynyd28Nh3HTj+
Xk0d0zVNXJxACo6fY4MVIrFPL9re3cZhFSNHrC33eOVy1MeHIOeoL0YA/lJUcNZM
KuPJGKjeZwRoC2g9rBaddTNsuZkYf09r4efS/aLGkK3ajKc74rGMx7hxX5xnxXTf
NOI70AVDTHhneBhAVkcCseNVduQef45Anvqqj5oLTCUwuKf6C+E6fm9Iz4vz9P7Y
gTkb2jAB8ednhfsbnmaRE0ICRZRckx9drNvd2NgIUI91vrgq+RXpbfUJWwGWYvHQ
ZY0NZ8FT/Q2xx/54OC7N4uXMOWycFj2045YqhMPvmJZkVsl8Y+Ic5Mkw4DgLBKQn
66lXKQ33srsPrbeGcMKnJgbjs2fxjnhZeuE7Oal6MnHjMQIPJ079OhZRmaJ69TpS
LPU3BLGfNfk=
=WAIk
-----END PGP SIGNATURE-----