VMSA-2019-0017:VMware SD-WAN by VeloCloud update addresses information disclosure vulnerability

23562

14 October 2019

14 October 2019

CLOSED

MEDIUM

4.3

CVE-2019-5533

VMware Security Advisories

Advisory IDVMSA-2019-0017
Advisory SeverityModerate
CVSSv3 Range4.3
SynopsisVMware SD-WAN by VeloCloud update addresses information disclosure vulnerability (CVE-2019-5533)
Issue Date2019-10-16
Updated On2019-10-16 (Initial Advisory)
CVE(s)CVE-2019-5533
 
1. Impacted Products
  • VMware SD-WAN by VeloCloud (VeloCloud)
 
2. Introduction

An information disclosure vulnerability in VeloCloud was reported to VMware. Patches are available to remediate this vulnerability in VeloCloud. VMware-hosted VeloCloud Orchestrators have been patched for this issue.

 
3. Velocloud information disclosure vulnerability (CVE-2019-5533)

Description:

The VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.

 

Known Attack Vectors:

An enterprise user who is authenticated to the VeloCloud Orchestrator is able to retrieve information of users  that are of type "MSP". Among this information is username, first and last name, phone numbers and e-mail address if present but no other personal data.

 

Resolution:

To remediate CVE-2019-5533 update VeloCloud Orchestrator to the version listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. VMware-hosted VeloCloud Orchestrators have been patched for this issue.

 

Workarounds:

None.

 

Additional Documentations:

None.

 

Acknowledgements:

VMware would like to thank Silas Bärtsch of Compass Security for reporting this issue to us.

 

Response Matrix:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documents
VeloCloud Orchestrator
3.x
Linux
CVE-2019-5533
4.3
Moderate
3.3.1
NoneNone

 

4. References:

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5533

 

Fixed Version(s) and Release Notes:

 

VeloCloud 3.3.1
Downloads:
https://my.vmware.com/web/vmware/info/slug/networking_security/vmware_sd_wan/3_3_1

 

5. Change Log:
 

2019-10-16 VMSA-2019-0017
Initial security advisory.

 

6. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  [email protected]

  [email protected]

  [email protected]

 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.