VMware Security Advisories
| Advisory ID | VMSA-2019-0016 |
| Advisory Severity | Critical |
| CVSSv3 Range | 9.1 |
| Synopsis | VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability (CVE-2019-16919) |
| Issue Date | 2019-10-15 |
| Updated On | 2019-12-11 |
| CVE(s) | CVE-2019-16919 |
1. Impacted Products
- VMware Cloud Foundation
- VMware Harbor Container Registry for PCF
2. Introduction
A broken access control vulnerability in Harbor, a Cloud Native Computing Foundation (CNCF) Open Source Project, was disclosed. Patches are available to remediate this vulnerability in affected VMware products.
3. Broken access control vulnerability in Harbor API (CVE-2019-16919)
Description:
A Broken Access Control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
Known Attack Vectors:
A malicious actor with administrative access to a project may be able to create a robot account inside of an adjacent project via the Harbor API. Successful exploitation of this issue may lead to unauthorized access to push/pull/modify images in the target adjacent project.
Resolution:
To remediate CVE-2019-16919, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Notes:
None.
Acknowledgements:
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSV3 | Severity | Fixed Version | Workarounds | Additional Documents |
| VMware Cloud Foundation* | x.x | Any |
CVE-2019-16919 | 9.1 | Critical | 3.9.0 | None | None |
| VMware Harbor Container Registry for PCF | 1.8.x | Any | CVE-2019-16919 | 9.1 | Critical | 1.8.4 | None | None |
| VMware Harbor Container Registry for PCF | 1.7.x | Any | CVE-2019-16919 | N/A | N/A | Unaffected | None | None |
*VMware Cloud Foundation is affected if the optional 'Harbor Registry' component has been deployed.
4. References
VMware Cloud Foundation 3.9.0
https://my.vmware.com/web/vmware/details?downloadGroup=VCF390&productId=945&rPId=39121
VMware Harbor Container Registry for PCF 1.8.4
https://network.pivotal.io/products/harbor-container-registry#/releases/484772
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16919
5. Change log
2019-10-15: VMSA-2019-0016
Initial security advisory detailing remediations for CVE-2019-16919 in VMware Harbor Container Registry for PCF.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.