vRealize Orchestrator 7.x Workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479
search cancel

vRealize Orchestrator 7.x Workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479

book

Article ID: 338074

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 have been determined to affect vRealize Orchestrator 7.x These vulnerabilities, their affect on VMware products, and VMware’s overall response is documented in VMSA-2019-0010 . Please review this advisory before continuing as there may be considerations outside the scope of this particular document including permanent solutions.

The vRealize Orchestrator team has determined that the aforementioned issues can be mitigated by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only - permanent fixes will be released as soon as they are available.

Warning

This workaround is applicable ONLY to vRealize Orchestrator 7.x. Do not apply this workaround to other VMware products.

No functionality Impacts

Environment

VMware vRealize Orchestrator 7.x

Resolution

Implement the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479

On each vRealize Orchestrator Virtual Appliance in the cluster run these commands

iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP

Note: To make the workaround persistent, edit /etc/bootstrap/everyboot.d/02-iptables and add the lines above.

Confirm that the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479

On each vRealize Orchestrator Virtual Appliance in the cluster, run these commands:
iptables -L | grep tcpmss
ip6tables -L | grep tcpmss

Remove the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479

On each vRealize Orchestrator Virtual Appliance in the cluster, run these commands:

iptables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP


Note: If the workaround was made persistent, edit /etc/bootstrap/everyboot.d/02-iptables and remove the lines above.


For up-to-date information on CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 as well as future security information please add your email address to the Sign up for Security Advisories window found in VMSA-2019-0010.