Security Vulnerabilities in VMware Telco Cloud Automation 2.x and 3.x
search cancel

Security Vulnerabilities in VMware Telco Cloud Automation 2.x and 3.x

book

Article ID: 379679

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

Multiple vulnerabilities were identified in VMware Telco Cloud Automation (TCA) versions 2.x and 3.x, including verbose error messages, cleartext passwords in logs, outdated third-party libraries, inadequate access control, and information disclosure.

Environment

2.x and 3.x 

Cause

Several issues have been identified in the TCA 2.x and 3.x :

1. Outdated Third-Party Libraries

The TCA application utilizes third-party libraries with known vulnerabilities (e.g., MomentJS, JQueryUI, AngularJS, DOMPurify) that expose it to high-risk CVEs, including ReDOS attacks, XSS vulnerabilities, and code injection risks.

2. Out-of-Date Software

The software contains outdated versions (e.g., SwaggerUI, Apache, GLIBC) that are susceptible to vulnerabilities such as SSRF, Denial of Service (DoS), and privilege escalation.

3. Insufficient Access Control

Access control mechanisms in TCA are insufficient, allowing users to access unauthorized data or perform actions beyond their intended roles.

4. Information Disclosure

Verbose error messages are being returned to users, exposing stack traces and sensitive server information that could aid attackers in exploiting weaknesses.

5. Cleartext Passwords

Passwords are stored in cleartext or base64 encoded in logs, which could allow attackers to gain access to critical data or escalate privileges.

6. Brute Force Protection

Although not directly applicable to TCA, the system lacks brute force protection because it relies on an external identity provider. This is not an issue specific to the TCA platform.

 

Resolution

Fixed in the TCA 3.1.1:

  1. Outdated Libraries: All but one vulnerability related to outdated libraries will be mitigated. The remaining issue with Java Library Disclosure (information disclosure) is planned for TCA 3.2.
  2. Outdated Software: Security updates addressing vulnerabilities in components like SwaggerUI and Apache will be applied in TCA 3.1.1.
  3. Insufficient Access Control: Enhanced access control mechanisms will be implemented in TCA 3.1.1 to address this vulnerability.
  4. Information Disclosure: Verbose error messages will be replaced with custom error pages, reducing the risk of sensitive information exposure.
  5. Cleartext Passwords: Password management will be improved to remove cleartext passwords from logs in TCA 3.1.1.

Items has not beed fixed in TCA 3.1.1:

  • Brute Force Protection: As brute force protection is handled by an external identity provider, this is considered a "Won't Fix" and will not be addressed in any version of TCA.

Fixes planned for TCA 3.2:

  • Java Library Disclosure: This vulnerability related to information disclosure is targeted for resolution in TCA 3.2.
Powered by Wolken Software