VMware Security Advisories

Advisory ID VMSA-2019-0017
Advisory Severity Moderate
CVSSv3 Range 4.3
Synopsis VMware SD-WAN by VeloCloud update addresses information disclosure vulnerability (CVE-2019-5533)
Issue Date 2019-10-16
Updated On 2019-10-16 (Initial Advisory)
CVE(s) CVE-2019-5533
 
1. Impacted Products
  • VMware SD-WAN by VeloCloud (VeloCloud)
 
2. Introduction

An information disclosure vulnerability in VeloCloud was reported to VMware. Patches are available to remediate this vulnerability in VeloCloud. VMware-hosted VeloCloud Orchestrators have been patched for this issue.

 
3. Velocloud information disclosure vulnerability (CVE-2019-5533)

Description:

The VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.

 

Known Attack Vectors:

An enterprise user who is authenticated to the VeloCloud Orchestrator is able to retrieve information of users  that are of type "MSP". Among this information is username, first and last name, phone numbers and e-mail address if present but no other personal data.

 

Resolution:

To remediate CVE-2019-5533 update VeloCloud Orchestrator to the version listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. VMware-hosted VeloCloud Orchestrators have been patched for this issue.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Silas Bärtsch of Compass Security for reporting this issue to us.

 

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documents
VeloCloud Orchestrator
 3.x
 Linux
 CVE-2019-5533
 4.3
 Moderate
 3.3.1
 None None

 

4. References:

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5533

 

Fixed Version(s) and Release Notes:

 

VeloCloud 3.3.1
Downloads:
https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_sd_wan/3_3_1

 

5. Change Log:
 

2019-10-16 VMSA-2019-0017
Initial security advisory.

 

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.