Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3859 VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919) 16 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMWare Cloud Foundation VMWare Harbor Container Registry for PCF Publisher: VMWare Operating System: Virtualisation Linux variants Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16919 Reference: ESB-2019.3610 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2019-0016.html - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories +-----------------------------------------------------------------------------+ |Advisory |VMSA-2019-0016 | |ID | | |----------+------------------------------------------------------------------| |Advisory |Critical | |Severity | | |----------+------------------------------------------------------------------| |CVSSv3 |9.1 | |Range | | |----------+------------------------------------------------------------------| |Synopsis |VMware Cloud Foundation and VMware Harbor Container Registry for | | |PCF address broken access control vulnerability (CVE-2019-16919) | |----------+------------------------------------------------------------------| |Issue Date|2019-10-15 | |----------+------------------------------------------------------------------| |Updated On|2019-10-15 (Initial Advisory) | |----------+------------------------------------------------------------------| |CVE(s) |CVE-2019-16919 | +-----------------------------------------------------------------------------+ 1. Impacted Products * VMware Cloud Foundation * VMware Harbor Container Registry for PCF 2. Introduction A broken access control vulnerability in Harbor, a Cloud Native Computing Foundation (CNCF) Open Source Project, was disclosed. Patches are available to remediate this vulnerability in affected VMware products. 3. Broken access control vulnerability in Harbor API (CVE-2019-16919) Description: A Broken Access Control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1. Known Attack Vectors: A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project. Resolution: To remediate CVE-2019-16919, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds: None. Additional Documentation: None. Notes: None. Acknowledgements: None. Response Matrix: +--------------------------------------------------------------------------------------------+ |Product |Version|Running|CVE Identifier|CVSSV3|Severity|Fixed |Workarounds|Additional| | | |On | | | |Version | |Documents | |-----------+-------+-------+--------------+------+--------+----------+-----------+----------| |VMware | | | | | |Patch | | | |Cloud |x.x |Any |CVE-2019-16919|9.1 |Critical|Pending |None |None | |Foundation*| | | | | | | | | |-----------+-------+-------+--------------+------+--------+----------+-----------+----------| |VMware | | | | | | | | | |Harbor | | | | | | | | | |Container |1.8.x |Any |CVE-2019-16919|9.1 |Critical|1.8.4 |None |None | |Registry | | | | | | | | | |for PCF | | | | | | | | | |-----------+-------+-------+--------------+------+--------+----------+-----------+----------| |VMware | | | | | | | | | |Harbor | | | | | | | | | |Container |1.7.x |Any |CVE-2019-16919|N/A |N/A |Unaffected|None |None | |Registry | | | | | | | | | |for PCF | | | | | | | | | +--------------------------------------------------------------------------------------------+ *VMware Cloud Foundation is affected if the optional 'Harbor Registry' component has been deployed. 4. References VMware Harbor Container Registry for PCF 1.8.4 https://network.pivotal.io/products/harbor-container-registry#/releases/484772 FIRST CVSSv3 Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/ I:H/A:H Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919 5. Change log 2019-10-15: VMSA-2019-0016 Initial security advisory detailing remediations for CVE-2019-16919 in VMware Harbor Container Registry for PCF. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXaalNWaOgq3Tt24GAQg/LBAApmUa/V6wffeghRNryMFJFiAs/aLRD9U8 4kEPF8svUfDDX6SrTjuN2W/oNcT4RN21L4Kr7f9Bok0MMYNe3Qr4K6ziMGsqWhAv LUTMRgSLu7Kv0NvcMjixPuqoi+bfFwNoR5y4mVmn9AjnlnZwYHz24igFeFk+Utjx LL/fYU++qxoEmd8i8hx/sJ9OdKJWm1QTsg4ppKi/de+b+5Jy1B8lIqnP+zQNTzAl 4LOhSDL2c3W9bKv5YfzuBbzWoZ5DXms/o6cyYnO/ExywHVWag7Pynyd28Nh3HTj+ Xk0d0zVNXJxACo6fY4MVIrFPL9re3cZhFSNHrC33eOVy1MeHIOeoL0YA/lJUcNZM KuPJGKjeZwRoC2g9rBaddTNsuZkYf09r4efS/aLGkK3ajKc74rGMx7hxX5xnxXTf NOI70AVDTHhneBhAVkcCseNVduQef45Anvqqj5oLTCUwuKf6C+E6fm9Iz4vz9P7Y gTkb2jAB8ednhfsbnmaRE0ICRZRckx9drNvd2NgIUI91vrgq+RXpbfUJWwGWYvHQ ZY0NZ8FT/Q2xx/54OC7N4uXMOWycFj2045YqhMPvmJZkVsl8Y+Ic5Mkw4DgLBKQn 66lXKQ33srsPrbeGcMKnJgbjs2fxjnhZeuE7Oal6MnHjMQIPJ079OhZRmaJ69TpS LPU3BLGfNfk= =WAIk -----END PGP SIGNATURE-----