|Synopsis||VMware SD-WAN by VeloCloud update addresses information disclosure vulnerability (CVE-2019-5533)
|Updated On||2019-10-16 (Initial Advisory)|
An information disclosure vulnerability in VeloCloud was reported to VMware. Patches are available to remediate this vulnerability in VeloCloud. VMware-hosted VeloCloud Orchestrators have been patched for this issue.
The VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.
Known Attack Vectors:
An enterprise user who is authenticated to the VeloCloud Orchestrator is able to retrieve information of users that are of type "MSP". Among this information is username, first and last name, phone numbers and e-mail address if present but no other personal data.
To remediate CVE-2019-5533 update VeloCloud Orchestrator to the version listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. VMware-hosted VeloCloud Orchestrators have been patched for this issue.
VMware would like to thank Silas Bärtsch of Compass Security for reporting this issue to us.
Mitre CVE Dictionary Links:
Fixed Version(s) and Release Notes:
5. Change Log:
Initial security advisory.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2019 VMware Inc. All rights reserved.