VMSA-2020-0010:VMware Cloud Director updates address Code Injection Vulnerability
1. Impacted Products
VMware Cloud Director (formerly known as vCloud Director)
2. Introduction
A code injection vulnerability in VMware Cloud Director was privately reported to VMware. Patches and workarounds are available to remediate or workaround this vulnerability in affected VMware products.
3a. Advisory Details
Description
VMware Cloud Director does not properly handle input leading to a code injection vulnerability. VMware has evaluated the severity of this issue to be in the Imporant severity range with a maximum CVSSv3 base score of 8.8.
Known Attack Vectors
An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.
Resolution
To remediate CVE-2020-3956 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds
Workarounds for CVE-2020-3956 have been documented in the VMware Knowledge Base article listed in the 'Workarounds' column the 'Response Matrix' found below.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Tomáš Melicher and Lukáš Václavík of Citadelo for reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Director | 10.1.0 | Linux, PhotonOS appliance | CVE-2020-3956 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Director | 10.0.x | Linux, PhotonOS appliance | CVE-2020-3956 | None | ||||
| VMware Cloud Director | 9.7.x | Linux, PhotonOS appliance | CVE-2020-3956 | None | ||||
| VMware Cloud Director | 9.5.x | Linux, PhotonOS appliance | CVE-2020-3956 | 9.5.0.6 | None | |||
| VMware Cloud Director | 9.1.x | Linux | CVE-2020-3956 | 9.1.0.4 | None | |||
| VMware Cloud Director | 9.0.x | Linux | CVE-2020-3956 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Director | 8.x | Linux | CVE-2020-3956 | N/A | N/A | Unaffected | N/A | N/A |
4. References
Downloads and Documentation:
www.vmware.com/go/download/vcloud-director
vCloud Director 10.0.0.2
https://docs.vmware.com/en/VMware-Cloud-Director/10.0/rn/VMware-vCloud-Director-for-Service-Providers-10002-Release-Notes.html
vCloud Director 9.7.0.5
https://docs.vmware.com/en/VMware-Cloud-Director/9.7/rn/VMware-vCloud-Director-for-Service-Providers-9705-Release-Notes.html
vCloud Director 9.5.0.6
https://docs.vmware.com/en/VMware-Cloud-Director/9.5/rn/vCloud-Director-9506-for-Service-Providers-Release-Notes.html
vCloud Director 9.1.0.4
https://docs.vmware.com/en/VMware-Cloud-Director/9.1/rn/vCloud-Director-9104-for-Service-Providers-Release-Notes.html
Workarounds
https://kb.vmware.com/s/article/79091
Mitre CVE Dictionary Links
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3956
FIRST CVSSv3 Calculator
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2020-05-19 VMSA-2020-0010
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
[email protected]
[email protected]
[email protected]
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2020 VMware Inc. All rights reserved.