Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2433.2
VMSA-2019-0010 - VMware product updates address Linux kernel
vulnerabilities in TCP Selective Acknowledgement (SACK)
(CVE-2019-11477, CVE-2019-11478)
25 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: AppDefense
Container Service Extension
Enterprise PKS
Horizon
Horizon DaaS
Hybrid Cloud Extension
Identity Manager
Integrated OpenStack
NSX for vSphere
NSX-T Data Center
Pulse Console
SD-WAN Edge by VeloCloud
SD-WAN Gateway by VeloCloud
SD-WAN Orchestrator by VeloCloud
Skyline Collector
Unified Access Gateway
vCenter Server Appliance
vCloud Availability Appliance
vCloud Director For Service Providers
vCloud Usage Meter
vRealize Automation
vRealize Business for Cloud
vRealize Code Stream
vRealize Log Insight
vRealize Network Insight
vRealize Operations Manager
vRealize Orchestrator Appliance
vRealize Suite Lifecycle Manager
vSphere Data Protection
vSphere Integrated Containers
vSphere Replication
Publisher: VMware
Operating System: Virtualisation
VMware ESX Server
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11478 CVE-2019-11477
Reference: ASB-2019.0174
ASB-2019.0172
ESB-2019.2293
ESB-2019.2292
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2019-0010.html
Revision History: July 25 2019: Updated security advisory with remediation
information for the vCenter 6.7 and AppDefense
2.x release lines and removed Horizon from
affected products as it was incorrectly
listed.
July 3 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
VMware Security Advisories
+---------+-------------------------------------------------------------------+
|Advisory |VMSA-2019-0010.1 |
|ID | |
+---------+-------------------------------------------------------------------+
|Advisory |Important |
|Severity | |
+---------+-------------------------------------------------------------------+
|CVSSv3 |5.3 - 7.5 |
|Range | |
+---------+-------------------------------------------------------------------+
|Synopsis |VMware product updates address Linux kernel vulnerabilities in TCP |
| |Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478) |
+---------+-------------------------------------------------------------------+
|Issue |2019-07-02 |
|Date | |
+---------+-------------------------------------------------------------------+
|Updated |2019-07-24 |
|On | |
+---------+-------------------------------------------------------------------+
|CVE(s) |CVE-2019-11477, and CVE-2019-11478 |
+---------+-------------------------------------------------------------------+
Security
o Security Advisories
Sign up for Security Advisories
Enter your email address:
[ ]
[Subscribe]
1. Impacted Products
o AppDefense
o Container Service Extension
o Enterprise PKS
o Horizon DaaS
o Hybrid Cloud Extension
o Identity Manager
o Integrated OpenStack
o NSX for vSphere
o NSX-T Data Center
o Pulse Console
o SD-WAN Edge by VeloCloud
o SD-WAN Gateway by VeloCloud
o SD-WAN Orchestrator by VeloCloud
o Skyline Collector
o Unified Access Gateway
o vCenter Server Appliance
o vCloud Availability Appliance
o vCloud Director For Service Providers
o vCloud Usage Meter
o vRealize Automation
o vRealize Business for Cloud
o vRealize Code Stream
o vRealize Log Insight
o vRealize Network Insight
o vRealize Operations Manager
o vRealize Orchestrator Appliance
o vRealize Suite Lifecycle Manager
o vSphere Data Protection
o vSphere Integrated Containers
o vSphere Replication
2. Introduction
Several vulnerabilities in the Linux kernel implementation of TCP Selective
Acknowledgement (SACK) have been disclosed. These issues may allow a malicious
entity to execute a Denial of Service attack against affected products.
3. Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK)
CVE-2019-11477, CVE-2019-11478
Description:
There are two uniquely identifiable vulnerabilities associated with the Linux
kernel implementation of SACK:
o CVE-2019-11477 - SACK Panic - A sequence of SACKs may be crafted such that
one can trigger an integer overflow, leading to a kernel panic. VMware has
evaluated the severity of this issue to be in the Important severity range
with a maximum CVSSv3 base score of 7.5.
o CVE-2019-11478 - SACK Excess Resource Usage - a crafted sequence of SACKs
will fragment the TCP retransmission queue, causing resource exhaustion.
VMware has evaluated the severity of this issue to be in the Moderate
severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors:
A malicious actor must have network access to an affected system including the
ability to send traffic with low MSS values to the target. Successful
exploitation of these issues may cause the target system to crash or
significantly degrade performance.
Resolution:
To remediate CVE-2019-11477 and CVE-2019-11478 update/upgrade to the versions
listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
Some VMware Virtual Appliances can workaround CVE-2019-11477 and CVE-2019-11478
by either disabling SACK or by modifying the built in firewall (if available)
in the base OS of the product to drop incoming connections with a low MSS
value. In-product workarounds (if available) have been enumerated in the
'Workarounds' column of the 'Resolution Matrix' found below.
Additional Documentations:
None.
Acknowledgements:
None.
Response Matrix:
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Product |Version|Running |CVE Identifier |CVSSV3|Severity |Fixed |Workarounds|Additional|
| | |On | | | |Version| |Documents |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|AppDefense |2.x.x |Virtual |CVE-2019-11477,|7.5 |Important|2.2.1 |None |None |
| | |Appliance|CVE-2019-11478 | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Container | |Virtual |CVE-2019-11477,| | |Patch | | |
|Service |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Extension | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Enterprise |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|PKS | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Horizon DaaS|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
| | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Hybrid Cloud|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Extension | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Identity |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Manager | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Integrated |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|OpenStack | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|NSX for |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|vSphere | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|NSX-T Data |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Center | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Pulse |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Console | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|SD-WAN Edge |x.x |Any |CVE-2019-11477,|7.5 |Important|3.3.0 |None |None |
|by VeloCloud| | |CVE-2019-11478 | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|SD-WAN | | |CVE-2019-11477,| | | | | |
|Gateway by |x.x |Any |CVE-2019-11478 |7.5 |Important|3.3.0 |None |None |
|VeloCloud | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|SD-WAN | | |CVE-2019-11477,| | | | | |
|Orchestrator|x.x |Any |CVE-2019-11478 |7.5 |Important|3.3.0 |None |None |
|by VeloCloud| | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Skyline |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Collector | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Unified | |Virtual |CVE-2019-11477,| | | | | |
|Access |x.x |Appliance|CVE-2019-11478 |7.5 |Important|3.6 | KB70899 |None |
|Gateway | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCenter | |Virtual |CVE-2019-11477,| | | | | |
|Server |6.7 |Appliance|CVE-2019-11478 |7.5 |Important|6.7u2c |None |None |
|Appliance | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCenter | |Virtual |CVE-2019-11477,| | | | | |
|Server |6.5 |Appliance|CVE-2019-11478 |7.5 |Important|6.5u3 |None |None |
|Appliance | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCenter | |Virtual |CVE-2019-11477,| | |Patch | | |
|Server |6.0 |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Appliance | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCloud | |Virtual |CVE-2019-11477,| | |Patch | | |
|Availability|x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Appliance | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCloud | | | | | | | | |
|Director For|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |KB70900 |None |
|Service | |Appliance|CVE-2019-11478 | | |Pending| | |
|Providers | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCloud Usage|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Meter | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Automation | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize | |Virtual |CVE-2019-11477,| | |Patch | | |
|Business for|x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Cloud | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Code Stream | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize Log|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Insight | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize | |Virtual |CVE-2019-11477,| | |Patch | | |
|Network |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Insight | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize | |Virtual |CVE-2019-11477,| | |Patch | | |
|Operations |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Manager | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize | |Virtual |CVE-2019-11477,| | |Patch | | |
|Orchestrator|x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Appliance | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize | | | | | | | | |
|Suite |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Lifecycle | |Appliance|CVE-2019-11478 | | |Pending| | |
|Manager | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vSphere Data|x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Protection | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vSphere | |Virtual |CVE-2019-11477,| | |Patch | | |
|Integrated |x.x |Appliance|CVE-2019-11478 |7.5 |Important|Pending|None |None |
|Containers | | | | | | | | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vSphere |x.x |Virtual |CVE-2019-11477,|7.5 |Important|Patch |None |None |
|Replication | |Appliance|CVE-2019-11478 | | |Pending| | |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
4. References
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
Fixed Version(s) and Release Notes:
AppDefense 2.2.1
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDEFENSE-221&productId
=742&rPId=35078
Documentation:
https://docs.vmware.com/en/VMware-AppDefense/221/rn/
appdefense-plugin-221-release-notes.html
Unified Access Gateway 3.6
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=UAG-36&productId=897&
rPId=34577
vCenter Server Appliance 6.7u2c
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC67U2C&productId=742&
rPId=34693
vCenter Server Appliance 6.5u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC65U3&productId=614&
rPId=34639
SD-WAN Edge by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-EDGE-330&
productId=899&rPId=34579
SD-WAN Gateway by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-VCG-330&productId
=899&rPId=34582
SD-WAN Orchestrator by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-ORC-330-2&
productId=899&rPId=34580
Workarounds:
https://kb.vmware.com/s/article/70900
https://kb.vmware.com/s/article/70899
5. Change log
2019-07-02: VMSA-2019-0010
Initial security advisory detailing remediations and/or workarounds for SD-WAN,
Unified Access Gateway, vCenter Server Appliance, and vCloud Director For
Service Providers.
2019-07-24: VMSA-2019-0010.1
Updated security advisory with remediation information for the vCenter 6.7 and
AppDefense 2.x release lines and removed Horizon from affected products as it
was incorrectly listed.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXTk7y2aOgq3Tt24GAQjukQ//WdN9Ji901R1tvsyrSnuT04fV1EAYSKbl
wq8IH38HClWQUAT1dgKABeGHY7HQPUrgxEWx6fEWis+7nFdVU54OLMUvaIn4cBbg
fNUOXlwIoerThP3pysuLZQMQSTOwCytM8Ydv19lQl3DdCG/TQ/qOmdG9CxaUbvhY
sW/Cg3zkPyR7MJTYnYtWmCJ4zLo81aFkc1Z7ZI1OL4eDH1p9z02jOXA9sh7Bd7o7
CvoBzMY+Iy4gly95Fn5KmolYlJxNH2lU6u9/inMzf2OeNJ3GUOna1CHThHjkZxWB
NO7y4I/4EglgmwxyUIp9NGRGCWzDVtYc9aOUWQaJnmwBp/XsXnsmf7ftixEaMfhR
Js9tu071bBnEvOv5oyLvslRecUzgxYbYkXXfiavIbMxcwEWFIaQVQ8yNsfafE+uq
5wFW6eYJfCKVhbn8vEn7lCejNoUR05hoI7fZ+8STW+yfNA1se+qY9EdEKCcfSA4E
J2CtQ0GGr0jy02R+BTex6EYSg10C1H9fklRTvmXU063iO4jNQR4fCBlcZ+gqU8wZ
eUwTxUlks6FH/DGhOL7Mds5ecjhGHIgkCL9tD9yY0JJbiV/Cxkm1f8EqsB4QBq+t
1qqmH45SPKb6LN0yRXVOESb7zs58es4AOwS206QC0sd3dOe1+tGUbKQ/Kpdv1WO4
d2GYu1WSYlo=
=rFPo
-----END PGP SIGNATURE-----