VMware Security Advisories

Advisory ID VMSA-2019-0016
Advisory Severity Critical
CVSSv3 Range 9.1
Synopsis VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919)
Issue Date 2019-10-15
Updated On 2019-12-11
CVE(s) CVE-2019-16919
 
1. Impacted Products
  • VMware Cloud Foundation
  • VMware Harbor Container Registry for PCF
 
2. Introduction
A broken access control vulnerability in Harbor, a Cloud Native Computing Foundation (CNCF) Open Source Project, was disclosed. Patches are available to remediate this vulnerability in affected VMware products.
3. Broken access control vulnerability in Harbor API (CVE-2019-16919)

Description:

A Broken Access Control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

 

Known Attack Vectors:

A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.

 

Resolution:

To remediate CVE-2019-16919, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

 

Workarounds:

None.

 

Additional Documentation:

None.

 

Notes:

None.

 

Acknowledgements:

None.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSV3 Severity Fixed Version Workarounds Additional Documents
VMware Cloud Foundation* x.x Any
CVE-2019-16919 9.1 Critical 3.9.0 None None
VMware Harbor Container Registry for PCF 1.8.x Any CVE-2019-16919 9.1 Critical 1.8.4 None None
VMware Harbor Container Registry for PCF 1.7.x Any CVE-2019-16919 N/A N/A Unaffected None None

*VMware Cloud Foundation is affected if the optional 'Harbor Registry' component has been deployed.

 

4. References

VMware Cloud Foundation 3.9.0

https://my.vmware.com/web/vmware/details?downloadGroup=VCF390&productId=945&rPId=39121
 

VMware Harbor Container Registry for PCF 1.8.4

https://network.pivotal.io/products/harbor-container-registry#/releases/484772

 

 

FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

 

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919

 

5. Change log
 

2019-10-15: VMSA-2019-0016 

Initial security advisory detailing remediations for CVE-2019-16919 in VMware Harbor Container Registry for PCF.

 

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.