====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN282
_____________________________________________________________________

DATE                : 19/05/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Cloud Director versions
                      prior to 10.0.0.2, 9.7.0.5, 9.5.0.6, 9.1.0.4.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0010.html
_____________________________________________________________________


VMware Security Advisories


Advisory ID             VMSA-2020-0010
Advisory Severity       Important
CVSSv3 Range            8.8
Synopsis                VMware Cloud Director updates address Code
                         Injection Vulnerability (CVE-2020-3956)
Issue Date              2020-05-19
Updated On              2020-05-19 (Initial version)
CVE(s)                  CVE-2020-3956


1. Impacted Products

VMware Cloud Director (formerly known as vCloud Director)


2. Introduction

A code injection vulnerability in VMware Cloud Director was privately
reported to VMware. Patches and workarounds are available to remediate
or workaround this vulnerability in affected VMware products.


3. VMware Cloud Director updates address Code Injection Vulnerability
(CVE-2020-3956)

Description:
VMware Cloud Director does not properly handle input leading to a code
injection vulnerability. VMware has evaluated the severity of this issue
to be in the Imporant severity range with a maximum CVSSv3 base score of
8.8.


Known Attack Vectors:
An authenticated actor may be able to send malicious traffic to VMware
Cloud Director which may lead to arbitrary remote code execution. This
vulnerability can be exploited through the HTML5- and Flex-based UIs,
the API Explorer interface and API access.


Resolution:
To remediate CVE-2020-3956 apply the patches listed in the 'Fixed
Version' column of the 'Response Matrix' found below.


Workarounds:
Workarounds for CVE-2020-3956 have been documented in the VMware
Knowledge Base article listed in the 'Workarounds' column the 'Response
Matrix' found below.


Additional Documentation:
None.

Notes:
None.


Acknowledgements:

VMware would like to thank Tomáš Melicher and Lukáš Václavík of Citadelo
for reporting this issue to us.


Product 	Version 	Running On 	CVE Identifier 	CVSSV3 	Severity
Fixed_Version 	Workarounds 	Additional Documentation


VMware Cloud Director 	10.1.0 	Linux, PhotonOS appliance  CVE-2020-3956
	N/A	N/A 	Not affected	N/A	None


vCloud Director	10.0.x	Linux, PhotonOS appliance	CVE-2020-3956
	8.8	Important	10.0.0.2	KB79091 	None


vCloud Director	9.7.x 	Linux, PhotonOS appliance  	CVE-2020-3956
	8.8	Important	9.7.0.5	KB79091 	None


vCloud Director  9.5.x 	Linux, PhotonOS appliance CVE-2020-3956 	8.8
Important 	9.5.0.6 	KB79091 	None


vCloud Director 	9.1.x 	Linux 	CVE-2020-3956 	8.8 	Important 	9.1.0.4
KB79091 	None


vCloud Director 	9.0.x 	Linux 	CVE-2020-3956 	N/A 	N/A 	Not affected
N/A 	None


vCloud Director 	8.x 	Linux 	CVE-2020-3956 	N/A 	N/A 	Not affected
N/A 	None



4. References


Downloads and Documentation:
www.vmware.com/go/download/vcloud-director


vCloud Director 10.0.0.2
https://docs.vmware.com/en/VMware-Cloud-Director/10.0/rn/VMware-vCloud-Director-for-Service-Providers-10002-Release-Notes.html


vCloud Director 9.7.0.5
https://docs.vmware.com/en/VMware-Cloud-Director/9.7/rn/VMware-vCloud-Director-for-Service-Providers-9705-Release-Notes.html


vCloud Director 9.5.0.6
https://docs.vmware.com/en/VMware-Cloud-Director/9.5/rn/vCloud-Director-9506-for-Service-Providers-Release-Notes.html


vCloud Director 9.1.0.4
https://docs.vmware.com/en/VMware-Cloud-Director/9.1/rn/vCloud-Director-9104-for-Service-Providers-Release-Notes.html



Workarounds
https://kb.vmware.com/s/article/79091


Mitre CVE Dictionary Links
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3956


FIRST CVSSv3 Calculator
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H



5. Change log


2020-05-19 VMSA-2020-0010
Initial security advisory.



6. Contact


E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following list:
security-announce@lists.vmware.com


E-mail:
security@vmware.com


PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2020 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================