vRealize Operations Application Remote Collector (ARC)

Two vulnerabilities were disclosed in Salt, an open source project by SaltStack, which have been determined to affect vRealize Operations Application Remote Collector (ARC). Patches and Workarounds are available to address these vulnerabilities in affected VMware products.

The Application Remote Collector (ARC) introduced with vRealize Operations 7.5 utilizes Salt which is affected by CVE-2020-11651 and CVE-2020-11652. VMware has evaluated CVE-2020-11651 (Authentication Bypass) to be in the Critical severity range with a maximum CVSSv3 base score of 10.0 and CVE-2020-11652 (Directory Traversal) to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

CVE-2020-11651 (Authentication Bypass) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to take control of the ARC and any Virtual Machines the ARC may have deployed a Telegraf agent to. CVE-2020-11652 (Directory Traversal) may allow a malicious actor with network access to port 4505 or 4506 on the ARC to access the entirety of the ARC filesystem.

To remediate CVE-2020-11651 and CVE-2020-11652 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below to affected ARC deployments.

Workarounds for CVE-2020-11651 and CVE-2020-11652 have been documented in the VMware Knowledge Base article listed in the "Workarounds" column of the "Response Matrix" below.

Patches for CVE-2020-11651 and CVE-2020-11652 must be manually applied directly to affected ARC deployments. Instructions for doing so have been added to KB79031.

None.

None.

Downloads and Documentation:

Application Remote Collector (ARC) 8.1.0.38178 Build 16187903
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-810&productId=991&rPId=45691
 

Application Remote Collector (ARC) 8.0.1.38184 Build 16189281
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-801&productId=940&rPId=40733
 

Application Remote Collector (ARC) 7.5.0.38179 Build 16188146
https://my.vmware.com/web/vmware/details?downloadGroup=VROPS-750&productId=875&rPId=32115

Workarounds:
https://kb.vmware.com/s/article/79031

3rd Party Disclosure:
https://community.saltstack.com/blog/critical-vulnerabilities-update-cve-2020-11651-and-cve-2020-11652/

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11651
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11652

FIRST CVSSv3 Calculator:
CVE-2020-11651 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE-2020-11652 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

2020-05-08 VMSA-2020-0009
Initial security advisory.

2020-05-15 VMSA-2020-0009.1
Added remediation information and clarification that the affected virtual appliance is the vRealize Operations Application Remote Collector (ARC).

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

[email protected]  

[email protected]  

[email protected] 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2020 VMware Inc. All rights reserved.