VMware has released a new security advisory VMSA-2019-0018 (VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions).
| Advisory ID | VMSA-2019-0018 |
| Advisory Severity | Moderate |
| CVSSv3 Range | 6.8 |
| Synopsis | VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions (CVE-2019-5537, CVE-2019-5538) |
| Issue Date | 2019-10-24 |
| Updated On | 2019-10-24 (Initial Advisory) |
| CVE(s) | CVE-2019-5537, CVE-2019-5538 |
This advisory documents the remediation of one issue, rated with the severity of moderate. Sensitive information disclosure vulnerabilities resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance may allow a malicious actor to intercept sensitive data in transit over FTPS, HTTPS, or SCP.
A man-in-the-middle positioned between vCenter Server Appliance and a backup target may be able to intercept data in transit during File-Based Backup and Restore operations.
The identifiers CVE-2019-5537 (data interception over FTPS and HTTPS) and CVE-2019-5538 (data interception over SCP) were assigned to this vulnerability.
Affected products and resolutions:
- vCenter Server Appliance 6.7 – update to 6.7 Update 3a
- vCenter Server Appliance 6.5 – update to 6.5 Update 3d
Remediation of CVE-2019-5537 and CVE-2019-5538 is not enabled by default. After upgrading the vCenter Server Appliance, follow the steps in KB75156 (Enabling secure backup and restore in the vCenter Server Appliance) to enforce strict certificate validation.
References
Fixed Version(s) and Release Notes:
VMware vCenter Server Appliance 6.7u3a
VMware vCenter Server Appliance 6.5u3d
Additional Documentation:
