VMware Security Advisories
| Advisory ID | VMSA-2019-0010.3 |
| Advisory Severity | Important |
| CVSSv3 Range | 5.3 - 7.5 |
| Synopsis | VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478) |
| Issue Date | 2019-07-02 |
| Updated On | 2019-08-16 |
| CVE(s) | CVE-2019-11477, and CVE-2019-11478 |
Security
Sign up for Security Advisories
1. Impacted Products
- AppDefense
- Container Service Extension
- Enterprise PKS
- Horizon DaaS
- Hybrid Cloud Extension
- Identity Manager
- Integrated OpenStack
- NSX for vSphere
- NSX-T Data Center
- Pulse Console
- SD-WAN Edge by VeloCloud
- SD-WAN Gateway by VeloCloud
- SD-WAN Orchestrator by VeloCloud
- Skyline Collector
- Unified Access Gateway
- vCenter Server Appliance
- vCloud Availability Appliance
- vCloud Director For Service Providers
- vCloud Usage Meter
- vRealize Automation
- vRealize Business for Cloud
- vRealize Code Stream
- vRealize Log Insight
- vRealize Network Insight
- vRealize Operations Manager
- vRealize Orchestrator Appliance
- vRealize Suite Lifecycle Manager
- vSphere Data Protection
- vSphere Integrated Containers
- vSphere Replication
2. Introduction
Several vulnerabilities in the Linux kernel implementation of TCP Selective Acknowledgement (SACK) have been disclosed. These issues may allow a malicious entity to execute a Denial of Service attack against affected products.
3. Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) CVE-2019-11477, CVE-2019-11478
Description:
There are two uniquely identifiable vulnerabilities associated with the Linux kernel implementation of SACK:
- CVE-2019-11477 - SACK Panic - A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
- CVE-2019-11478 - SACK Excess Resource Usage - a crafted sequence of SACKs will fragment the TCP retransmission queue, causing resource exhaustion. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors:
A malicious actor must have network access to an affected system including the ability to send traffic with low MSS values to the target. Successful exploitation of these issues may cause the target system to crash or significantly degrade performance.
Resolution:
To remediate CVE-2019-11477 and CVE-2019-11478 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
Some VMware Virtual Appliances can workaround CVE-2019-11477 and CVE-2019-11478 by either disabling SACK or by modifying the built in firewall (if available) in the base OS of the product to drop incoming connections with a low MSS value. In-product workarounds (if available) have been enumerated in the 'Workarounds' column of the 'Resolution Matrix' found below.
Additional Documentations:
None.
Acknowledgements:
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| AppDefense | 2.x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 2.2.1 | None | None |
| Container Service Extension | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important |
Patch Pending | None |
None |
| Enterprise PKS | 1.4.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| Enterprise PKS | 1.3.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 1.3.7 | None | None |
| Horizon DaaS | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| Hybrid Cloud Extension | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| Identity Manager | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| Integrated OpenStack | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| NSX for vSphere | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | KB71311 |
None |
| NSX-T Data Center | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| Pulse Console | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| SD-WAN Edge by VeloCloud | x.x | Any | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.3.0 | None | None |
| SD-WAN Gateway by VeloCloud | x.x | Any | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.3.0 | None | None |
| SD-WAN Orchestrator by VeloCloud | x.x | Any | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.3.0 | None | None |
| Site Recovery Manager | 8.2.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.2.0.1 | None | None |
| Site Recovery Manager | x.x | Windows | CVE-2019-11477, CVE-2019-11478 | N/A | N/A | Unaffected | N/A | N/A |
| Skyline Collector | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| Unified Access Gateway | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.6 | KB70899 |
None |
| vCenter Server Appliance | 6.7 | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.7u2c | None | None |
| vCenter Server Appliance | 6.5 | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.5u3 | None | None |
| vCenter Server Appliance | 6.0 | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vCloud Availability Appliance | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vCloud Director For Service Providers | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | KB70900 | None |
| vCloud Usage Meter | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vRealize Automation | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vRealize Business for Cloud | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vRealize Code Stream | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vRealize Log Insight | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | KB70892 | None |
| vRealize Network Insight | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vRealize Operations Manager | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | KB71029 | None |
| vRealize Orchestrator Appliance | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vRealize Suite Lifecycle Manager | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vSphere Data Protection | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vSphere Integrated Containers | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vSphere Replication | 8.2.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.2.0.1 | None | None |
| vSphere Replication | 8.1.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vSphere Replication | 6.5.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.5.1.4 | None | None |
| vSphere Replication | 6.1.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
4. References
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
Fixed Version(s) and Release Notes:
AppDefense 2.2.1
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDEFENSE-221&productId=742&rPId=35078
Documentation:
https://docs.vmware.com/en/VMware-AppDefense/221/rn/appdefense-plugin-221-release-notes.html
Enterprise PKS 1.3.7
Download:
https://network.pivotal.io/products/pivotal-container-service/#/releases/384407
Documentation:
https://docs.vmware.com/en/VMware-Enterprise-PKS/1.3/rn/VMware-PKS-13-Release-Notes.html#v1.3.7
Site Recovery Manager 8.2.0.1 Virtual Appliance
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM8201&productId=889&rPId=35694
Unified Access Gateway 3.6
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=UAG-36&productId=897&rPId=34577
vCenter Server Appliance 6.7u2c
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC67U2C&productId=742&rPId=34693
vCenter Server Appliance 6.5u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC65U3&productId=614&rPId=34639
SD-WAN Edge by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-EDGE-330&productId=899&rPId=34579
SD-WAN Gateway by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-VCG-330&productId=899&rPId=34582
SD-WAN Orchestrator by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-ORC-330-2&productId=899&rPId=34580
vSphere Replication 8.2.0.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VR8201&productId=742&rPId=35626
vSphere Replication 6.5.1.4
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VR6514&productId=614&rPId=35279
Workarounds:
https://kb.vmware.com/s/article/70900
https://kb.vmware.com/s/article/70899
https://kb.vmware.com/s/article/71311
https://kb.vmware.com/s/article/70892
https://kb.vmware.com/s/article/71029
5. Change log
2019-07-02: VMSA-2019-0010
Initial security advisory detailing remediations and/or workarounds for SD-WAN, Unified Access Gateway, vCenter Server Appliance, and vCloud Director For Service Providers.
2019-07-24: VMSA-2019-0010.1
Updated security advisory with remediation information for the vCenter 6.7 and AppDefense 2.x release lines and removed Horizon from affected products as it was incorrectly listed.
2019-08-08: VMSA-2019-0010.2
Updated security advisory with remediation information for the vSphere Replication 6.5.x release line.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.