VMSA-2020-0016

Important

Advisory ID: VMSA-2020-0016

CVSSv3 Range: 8.5

Issue Date: 2020-07-07

Updated On: 2020-07-07 (Initial Advisory)

CVE(s): CVE-2020-3973

Synopsis: VMware SD-WAN by VeloCloud updates address SQL-injection vulnerability (CVE-2020-3973)

1. Impacted Products

VMware SD-WAN by VeloCloud (VeloCloud)

2. Introduction

An SQL-injection vulnerability in VeloCloud was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. VMware-hosted VeloCloud Orchestrators have been patched for this issue.

3a. Advisory Details

Description

The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.5.

Known Attack Vendors

A malicious actor with tenant access to Velocloud Orchestrator could enter specially crafted SQL queries and obtain data to which they are not privileged.

Resolution

To remediate CVE-2020-3973 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank the UK’s National Cyber Security Centre (NCSC) and Olivier Houssenbay from ON-X Securité for independently reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VeloCloud Orchestrator	3.x	Linux	CVE-2020-3973	8.5	important	3.3.2 p2, 3.4.1 and above, or apply a patch to 3.2.2, 3.3.1, 3.3.2 or 3.4.0 (Contact VMware Technical Support to obtain the required patch or version)	None	None