VMware has released a new security advisory VMSA-2019-0018 (VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions).
|VMware vCenter Server Appliance updates address sensitive information disclosure vulnerability in backup and restore functions (CVE-2019-5537, CVE-2019-5538)
|2019-10-24 (Initial Advisory)
This advisory documents the remediation of one issue, rated with the severity of moderate. Sensitive information disclosure vulnerabilities resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance may allow a malicious actor to intercept sensitive data in transit over FTPS, HTTPS, or SCP.
A man-in-the-middle positioned between vCenter Server Appliance and a backup target may be able to intercept data in transit during File-Based Backup and Restore operations.
Affected products and resolutions:
- vCenter Server Appliance 6.7 – update to 6.7 Update 3a
- vCenter Server Appliance 6.5 – update to 6.5 Update 3d
Remediation of CVE-2019-5537 and CVE-2019-5538 is not enabled by default. After upgrading the vCenter Server Appliance, follow the steps in KB75156 (Enabling secure backup and restore in the vCenter Server Appliance) to enforce strict certificate validation.
Fixed Version(s) and Release Notes: