VMware Security Advisories
| Advisory ID | VMSA-2019-0010.3 |
| Advisory Severity | Important |
| CVSSv3 Range | 5.3 - 7.5 |
| Synopsis | VMware product updates address Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) (CVE-2019-11477, CVE-2019-11478) |
| Issue Date | 2019-07-02 |
| Updated On | 2020-02-25 |
| CVE(s) | CVE-2019-11477, and CVE-2019-11478 |
1. Impacted Products
- AppDefense
- Container Service Extension
- Enterprise PKS
- Horizon DaaS
- Hybrid Cloud Extension
- Identity Manager
- Integrated OpenStack
- NSX for vSphere
- NSX-T Data Center
- Pulse Console
- SD-WAN Edge by VeloCloud
- SD-WAN Gateway by VeloCloud
- SD-WAN Orchestrator by VeloCloud
- Skyline Collector
- Unified Access Gateway
- vCenter Server Appliance
- vCloud Availability Appliance
- vCloud Director For Service Providers
- vCloud Usage Meter
- vRealize Automation
- vRealize Business for Cloud
- vRealize Code Stream
- vRealize Log Insight
- vRealize Network Insight
- vRealize Operations Manager
- vRealize Orchestrator Appliance
- vRealize Suite Lifecycle Manager
- vSphere Data Protection
- vSphere Integrated Containers
- vSphere Replication
2. Introduction
Several vulnerabilities in the Linux kernel implementation of TCP Selective Acknowledgement (SACK) have been disclosed. These issues may allow a malicious entity to execute a Denial of Service attack against affected products.
3. Linux kernel vulnerabilities in TCP Selective Acknowledgement (SACK) CVE-2019-11477, CVE-2019-11478
Description:
There are two uniquely identifiable vulnerabilities associated with the Linux kernel implementation of SACK:
- CVE-2019-11477 - SACK Panic - A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.
- CVE-2019-11478 - SACK Excess Resource Usage - a crafted sequence of SACKs will fragment the TCP retransmission queue, causing resource exhaustion. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors:
A malicious actor must have network access to an affected system including the ability to send traffic with low MSS values to the target. Successful exploitation of these issues may cause the target system to crash or significantly degrade performance.
Resolution:
To remediate CVE-2019-11477 and CVE-2019-11478 update/upgrade to the versions listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
Some VMware Virtual Appliances can workaround CVE-2019-11477 and CVE-2019-11478 by either disabling SACK or by modifying the built in firewall (if available) in the base OS of the product to drop incoming connections with a low MSS value. In-product workarounds (if available) have been enumerated in the 'Workarounds' column of the 'Resolution Matrix' found below.
Additional Documentations:
None.
Acknowledgements:
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| AppDefense | 2.x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 2.2.1 | None | None |
| Container Service Extension | 2.x.y | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important |
2.5.0 | None |
None |
| Enterprise PKS | 1.4.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 1.4.3 | None | None |
| Enterprise PKS | 1.3.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 1.3.7 | None | None |
| Horizon DaaS | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| Hybrid Cloud Extension | 3.x.y | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.5.2 | None | None |
| Identity Manager | 3.x.y | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.3.1 | None | None |
| Integrated OpenStack | 5.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 5.1.0.3 | None | None |
| Integrated OpenStack | 4.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 4.1.2.3 | None | None |
| NSX for vSphere | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.4.6 | KB71311 |
None |
| NSX-T Data Center | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 2.5.0 | None | None |
| Pulse Console | 1.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | No Patch Planned | None | None |
| SD-WAN Edge by VeloCloud | x.x | Any | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.3.0 | None | None |
| SD-WAN Gateway by VeloCloud | x.x | Any | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.3.0 | None | None |
| SD-WAN Orchestrator by VeloCloud | x.x | Any | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.3.0 | None | None |
| Site Recovery Manager | 8.2.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.2.0.1 | None | None |
| Site Recovery Manager | x.x | Windows | CVE-2019-11477, CVE-2019-11478 | N/A | N/A | Unaffected | N/A | N/A |
| Skyline Collector | 1.x, 2.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 2.2 | None | None |
| Unified Access Gateway | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.6 | KB70899 |
None |
| vCenter Server Appliance | 6.7 | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.7u2c | None | None |
| vCenter Server Appliance | 6.5 | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.5u3 | None | None |
| vCenter Server Appliance | 6.0 | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.0u3j | None | None |
| vCloud Availability Appliance | 3.x.y | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 3.0.2 | None | None |
| vCloud Director For Service Providers | 9.7.x.y | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 9.7.0.2 | KB70900 | None |
| vCloud Director For Service Providers | 9.5.x.y | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 9.5.0.4 | KB70900 | None |
| vCloud Usage Meter | 4.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 4.1.0.1 | None | None |
| vRealize Automation | 7.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.0.0 | KB77078 | None |
| vRealize Business for Cloud | 7.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | No Patch Planned | KB77201 |
None |
| vRealize Code Stream | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vRealize Log Insight | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.1.1 | KB70892 | None |
| vRealize Network Insight | 4.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 4.2 | None | None |
| vRealize Operations Manager | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.0.0 | KB71029 | None |
| vRealize Orchestrator Appliance | 7.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.0.0 | None | None |
| vRealize Suite Lifecycle Manager | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.0 | None | None |
| vSphere Data Protection | x.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | No Patch Planned | None | None |
| vSphere Integrated Containers | 1.x.y | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 1.5.3 | None | None |
| vSphere Replication | 8.2.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 8.2.0.1 | None | None |
| vSphere Replication | 8.1.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | Patch Pending | None | None |
| vSphere Replication | 6.5.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | 6.5.1.4 | None | None |
| vSphere Replication | 6.1.x | Virtual Appliance | CVE-2019-11477, CVE-2019-11478 | 7.5 | Important | No Patch Planned | None | None |
4. References
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
Fixed Version(s) and Release Notes:
AppDefense 2.2.1
Downloads:
https://my.vmware.com/web/vmware/details?downloadGroup=APPDEFENSE-221&productId=742&rPId=35078
Documentation:
https://docs.vmware.com/en/VMware-AppDefense/221/rn/appdefense-plugin-221-release-notes.html
Container Service Extension 2.5.0
Downloads and Documentation:
https://github.com/vmware/container-service-extension/releases/tag/2.5.0
Enterprise PKS 1.4.3
Downloads and Documentation:
https://network.pivotal.io/products/pivotal-container-service/#/releases/473809
Enterprise PKS 1.3.7
Download:
https://network.pivotal.io/products/pivotal-container-service/#/releases/384407
Documentation:
https://docs.vmware.com/en/VMware-Enterprise-PKS/1.3/rn/VMware-PKS-13-Release-Notes.html#v1.3.7
Hybrid Cloud Extension 3.5.2
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_hcx/3_5_2
Identity Manager 3.3.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VIDM_ONPREM_3310&productId=938&rPId=40716
Integrated OpenStack 5.1.0.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VIO-5103&productId=821&rPId=36089
Integrated OpenStack 4.1.2.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VIO-4123&productId=709&rPId=36084
Site Recovery Manager 8.2.0.1 Virtual Appliance
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SRM8201&productId=889&rPId=35694
Unified Access Gateway 3.6
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=UAG-36&productId=897&rPId=34577
vCenter Server Appliance 6.7u2c
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC67U2C&productId=742&rPId=34693
vCenter Server Appliance 6.5u3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC65U3&productId=614&rPId=34639
vCenter Server Appliance 6.0u3j
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3J&productId=491&rPId=38009
vCloud Availability 3.0.2
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VCAV3&productId=872&rPId=34687
vCloud Director For Service Providers 9.7.0.2
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=867&downloadGroup=VSPP_VCD9702
vCloud Director For Service Providers 9.5.0.4
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=804&downloadGroup=VSPP_VCD9504
vCloud Usage Meter 4.1.0.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=UMSV41&productId=929&rPId=37630
vRealize Automation 8.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=935&rPId=40695&downloadGroup=VRA-800
SD-WAN Edge by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-EDGE-330&productId=899&rPId=34579
SD-WAN Gateway by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-VCG-330&productId=899&rPId=34582
SD-WAN Orchestrator by VeloCloud 3.3.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=SD-WAN-ORC-330-2&productId=899&rPId=34580
vRealize Log Insight 8.1.1
Downloads and Documentation:
vRealize Network Insight 4.2.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VRNI-420&productId=832&rPId=35011
vRealize Operations 8.0.0
Downloads and Documentation:
vRealize Orchestrator Appliance 8.0.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=742&downloadGroup=VROVA-800
vRealize Suite Lifecycle Manager 8.0
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=938&rPId=40713&downloadGroup=VRSLCM-800
vSphere Integrated Containers 1.5.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?productId=843&rPId=37633&downloadGroup=VIC153
vSphere Replication 8.2.0.1
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VR8201&productId=742&rPId=35626
vSphere Replication 6.5.1.4
Downloads and Documentation:
https://my.vmware.com/web/vmware/details?downloadGroup=VR6514&productId=614&rPId=35279
Workarounds:
https://kb.vmware.com/s/article/70900
https://kb.vmware.com/s/article/70899
https://kb.vmware.com/s/article/71311
https://kb.vmware.com/s/article/70892
https://kb.vmware.com/s/article/71029
https://kb.vmware.com/s/article/77201
https://kb.vmware.com/s/article/77078
5. Change log
2019-07-02: VMSA-2019-0010
Initial security advisory detailing remediations and/or workarounds for SD-WAN, Unified Access Gateway, vCenter Server Appliance, and vCloud Director For Service Providers.
2019-07-24: VMSA-2019-0010.1
Updated security advisory with remediation information for the vCenter 6.7 and AppDefense 2.x release lines and removed Horizon from affected products as it was incorrectly listed.
2019-08-08: VMSA-2019-0010.2
Updated security advisory with remediation information for the vSphere Replication 6.5.x release line.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.