vRealize Automation 7.x Workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479
search cancel

vRealize Automation 7.x Workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479

book

Article ID: 336837

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 have been determined to affect vRealize Automation 7.x These vulnerabilities, their affect on VMware products, and VMware’s overall response is documented in VMSA-2019-0010. Please review this advisory before continuing as there may be considerations outside the scope of this particular document including permanent solutions.
The vRealize Automation team has determined that the aforementioned issues can be mitigated by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only - permanent fixes will be released as soon as they are available.
 

Warning

This workaround is applicable ONLY to vRealize Automation 7.x. Do not apply this workaround to other VMware products.
 

Functionality Impacts

No Impacts
These items are the only functionality impacts known at the time of publishing this article.

Environment

VMware vRealize Automation 7.x

Resolution

To implement the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 perform the following steps:
  1. Login to each vRealize Automation Virtual Appliance in the cluster as root via SSH or Console. 
  2. Run the following commands:
iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP

Note: To make the workaround persistent, edit /etc/bootstrap/everyboot.d/02-iptables and add the lines above.

To confirm that the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 has been correctly applied perform the following steps:

Run the following commands on each vRealize Automation Virtual Appliance in the cluster:
iptables -L | grep tcpmss
ip6tables -L | grep tcpmss


To remove the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 at a later time perform the following steps:
iptables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP


Note: If the workaround was made persistent, edit /etc/bootstrap/everyboot.d/02-iptables and remove the lines above.

For up-to-date information on CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 as well as future security information please add your email address to the "Sign up for Security Advisories" window found in VMSA-2019-0010 .