-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2433
       VMSA-2019-0010 - VMware product updates address Linux kernel
          vulnerabilities in TCP Selective Acknowledgement (SACK)
                     (CVE-2019-11477, CVE-2019-11478)
                                3 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           AppDefense
                   Container Service Extension
                   Enterprise PKS
                   Horizon
                   Horizon DaaS
                   Hybrid Cloud Extension
                   Identity Manager
                   Integrated OpenStack
                   NSX for vSphere
                   NSX-T Data Center
                   Pulse Console
                   SD-WAN Edge by VeloCloud
                   SD-WAN Gateway by VeloCloud
                   SD-WAN Orchestrator by VeloCloud
                   Skyline Collector
                   Unified Access Gateway
                   vCenter Server Appliance
                   vCloud Availability Appliance
                   vCloud Director For Service Providers
                   vCloud Usage Meter
                   vRealize Automation
                   vRealize Business for Cloud
                   vRealize Code Stream
                   vRealize Log Insight
                   vRealize Network Insight
                   vRealize Operations Manager
                   vRealize Orchestrator Appliance
                   vRealize Suite Lifecycle Manager
                   vSphere Data Protection
                   vSphere Integrated Containers
                   vSphere Replication
Publisher:         VMware
Operating System:  Virtualisation
                   VMware ESX Server
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11478 CVE-2019-11477 

Reference:         ASB-2019.0174
                   ASB-2019.0172
                   ESB-2019.2293
                   ESB-2019.2292

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2019-0010.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

+---------+-------------------------------------------------------------------+
|Advisory |VMSA-2019-0010                                                     |
|ID       |                                                                   |
+---------+-------------------------------------------------------------------+
|Advisory |Important                                                          |
|Severity |                                                                   |
+---------+-------------------------------------------------------------------+
|CVSSv3   |5.3 - 7.5                                                          |
|Range    |                                                                   |
+---------+-------------------------------------------------------------------+
|Synopsis |VMware product updates address Linux kernel vulnerabilities in TCP |
|         |Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478)  |
+---------+-------------------------------------------------------------------+
|Issue    |2019-07-02                                                         |
|Date     |                                                                   |
+---------+-------------------------------------------------------------------+
|Updated  |2019-07-02 (Initial Advisory)                                      |
|On       |                                                                   |
+---------+-------------------------------------------------------------------+
|CVE(s)   |CVE-2019-11477, and CVE-2019-11478                                 |
+---------+-------------------------------------------------------------------+


1. Impacted Products

  o AppDefense
  o Container Service Extension
  o Enterprise PKS
  o Horizon
  o Horizon DaaS
  o Hybrid Cloud Extension
  o Identity Manager
  o Integrated OpenStack
  o NSX for vSphere
  o NSX-T Data Center
  o Pulse Console
  o SD-WAN Edge by VeloCloud
  o SD-WAN Gateway by VeloCloud
  o SD-WAN Orchestrator by VeloCloud
  o Skyline Collector
  o Unified Access Gateway
  o vCenter Server Appliance
  o vCloud Availability Appliance
  o vCloud Director For Service Providers
  o vCloud Usage Meter
  o vRealize Automation
  o vRealize Business for Cloud
  o vRealize Code Stream
  o vRealize Log Insight
  o vRealize Network Insight
  o vRealize Operations Manager
  o vRealize Orchestrator Appliance
  o vRealize Suite Lifecycle Manager
  o vSphere Data Protection
  o vSphere Integrated Containers
  o vSphere Replication

2. Introduction

Several vulnerabilities in the Linux kernel implementation of TCP Selective
Acknowledgement (SACK) have been disclosed. These issues may allow a malicious
entity to execute a Denial of Service attack against affected products.

3. Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK)
CVE-2019-11477, CVE-2019-11478

Description:

There are two uniquely identifiable vulnerabilities associated with the Linux
kernel implementation of SACK:

  o CVE-2019-11477 - SACK Panic - A sequence of SACKs may be crafted such that
    one can trigger an integer overflow, leading to a kernel panic. VMware has
    evaluated the severity of this issue to be in the Important severity range
    with a maximum CVSSv3 base score of 7.5.
  o CVE-2019-11478 - SACK  Excess Resource Usage - a crafted sequence of SACKs
    will fragment the TCP retransmission queue, causing resource exhaustion.
    VMware has evaluated the severity of this issue to be in the Moderate
    severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors:

A malicious actor must have network access to an affected system including the
ability to send traffic with low MSS values to the target.  Successful
exploitation of these issues may cause the target system to crash or
significantly degrade performance.

Resolution:

To remediate CVE-2019-11477 and CVE-2019-11478 update/upgrade to the versions
listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds:

Some VMware Virtual Appliances can workaround CVE-2019-11477 and CVE-2019-11478
by either disabling SACK or by modifying the built in firewall (if available)
in the base OS of the product to drop incoming connections with a low MSS
value. In-product workarounds (if available) have been enumerated in the
'Workarounds' column of the 'Resolution Matrix' found below.

Additional Documentations:

None.

Acknowledgements:

None.

Response Matrix:

+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Product     |Version|Running  |CVE Identifier |CVSSV3|Severity |Fixed  |Workarounds|Additional|
|            |       |On       |               |      |         |Version|           |Documents |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|AppDefense  |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|            |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Container   |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Service     |x.x    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Extension   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Enterprise  |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|PKS         |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Horizon     |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|            |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Horizon DaaS|x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|            |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Hybrid Cloud|x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Extension   |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Identity    |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Manager     |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Integrated  |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|OpenStack   |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|NSX for     |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|vSphere     |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|NSX-T Data  |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Center      |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Pulse       |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Console     |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|SD-WAN Edge |x.x    |Any      |CVE-2019-11477,|7.5   |Important|3.3.0  |None       |None      |
|by VeloCloud|       |         |CVE-2019-11478 |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|SD-WAN      |       |         |CVE-2019-11477,|      |         |       |           |          |
|Gateway by  |x.x    |Any      |CVE-2019-11478 |7.5   |Important|3.3.0  |None       |None      |
|VeloCloud   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|SD-WAN      |       |         |CVE-2019-11477,|      |         |       |           |          |
|Orchestrator|x.x    |Any      |CVE-2019-11478 |7.5   |Important|3.3.0  |None       |None      |
|by VeloCloud|       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Skyline     |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Collector   |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|Unified     |       |Virtual  |CVE-2019-11477,|      |         |       |           |          |
|Access      |x.x    |Appliance|CVE-2019-11478 |7.5   |Important|3.6    | KB70899   |None      |
|Gateway     |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCenter     |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Server      |6.7    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Appliance   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCenter     |       |Virtual  |CVE-2019-11477,|      |         |       |           |          |
|Server      |6.5    |Appliance|CVE-2019-11478 |7.5   |Important|6.5u3  |None       |None      |
|Appliance   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCenter     |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Server      |6.0    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Appliance   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCloud      |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Availability|x.x    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Appliance   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCloud      |       |         |               |      |         |       |           |          |
|Director For|x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |KB70900    |None      |
|Service     |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
|Providers   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vCloud Usage|x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Meter       |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize    |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Automation  |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize    |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Business for|x.x    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Cloud       |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize    |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Code Stream |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize Log|x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Insight     |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize    |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Network     |x.x    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Insight     |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize    |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Operations  |x.x    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Manager     |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize    |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Orchestrator|x.x    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Appliance   |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vRealize    |       |         |               |      |         |       |           |          |
|Suite       |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Lifecycle   |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
|Manager     |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vSphere Data|x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Protection  |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vSphere     |       |Virtual  |CVE-2019-11477,|      |         |Patch  |           |          |
|Integrated  |x.x    |Appliance|CVE-2019-11478 |7.5   |Important|Pending|None       |None      |
|Containers  |       |         |               |      |         |       |           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+
|vSphere     |x.x    |Virtual  |CVE-2019-11477,|7.5   |Important|Patch  |None       |None      |
|Replication |       |Appliance|CVE-2019-11478 |      |         |Pending|           |          |
+------------+-------+---------+---------------+------+---------+-------+-----------+----------+

4. References

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478


Fixed Version(s) and Release Notes:

Unified Access Gateway 3.6

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=UAG-36&productId=897&
rPId=34577


vCenter Server Appliance 6.5u3

Downloads and Documentation:

https://my.vmware.com/web/vmware/details?downloadGroup=VC65U3&productId=614&
rPId=34639

SD-WAN Edge by VeloCloud 3.3.0

Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-EDGE-330&
productId=899&rPId=34579


SD-WAN Gateway by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-VCG-330&productId
=899&rPId=34582


SD-WAN Orchestrator by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-ORC-330-2&
productId=899&rPId=34580

Workarounds:

https://kb.vmware.com/s/article/70900
https://kb.vmware.com/s/article/70899


5. Change log

2019-07-02: VMSA-2019-0010

Initial security advisory detailing remediations and/or workarounds for SD-WAN,
Unified Access Gateway, vCenter Server Appliance, and vCloud Director For
Service Providers.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC


Copyright 2019 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXRxMRGaOgq3Tt24GAQhMxRAAtFWx+XpJ/xz+n6A0G3Lj/33BvZsn7sWB
w/NvUExAs6W/PKZ/mDn8UJAfipnL3bJj+NJo0Ao+LhHoQk6A75Ogj5wfHIeTk3Wk
RJ8c7Rl6ITsCgl1w6QjL7jlSddwokUBE0qwdzuuZFPLeanqTh0x110ZHosq6RoNY
x6415qlXHWaFiTm2rjoJfrNiF3TGIniEYx3YrvLIMFsVhVhl1DQykw0aafKVbEfk
1ypa500iuJacq5OPOlLkNZ64Q8ZOj4N/62ZusmouFfjtFdFleTX5DsdfSH8DDxWU
cIpUjf3zL6P/B5PCessbIzQNvt3NgjWBUEcMxLa1IsuzUqHqa/ZVTU/Tf8lhlMja
PMh+89M0iWjv3FXnakgpEaDFtFi04KZJoDwAuS3EYrVKkvrs4536RF1lwBs0iTHw
W2ZoKxt1GYNuj38u1inRHa1f9xz4+Nx9HF8Q6YkC/NgeFtG9DzPjLF1qsJgHrjrE
/hV3Jjf2ymp5Kryu0wwbai4+rjkoscQFtRkwEoefS/zl702h0TWZYhKc/axmHvIK
8W4cpWdxCj7+bY5JGAFVjo13EdbRLqg6WCh8klrBYj5VhfqQ3hBw0qE0i/pSujxA
M8hg1aTgYXUqXp/6PVUb7noktvzLwm4XYbzqVRFyULFPNTHjTnssnUwvGs0ThhlH
TBWlZjga4sg=
=ViCE
-----END PGP SIGNATURE-----