Security Advisory Notice

Note

This page has been archived as of October 15, 2020. Going forward, security advisories related to Avi Vantage (now VMware NSX Advanced Load Balancer, NSX ALB) will be available at the VMware Security Advisories page.

This article highlights the security vulnerabilities, the associated CVEs, and the version of Avi Vantage in which they are addressed.

These vulnerabilities are found in the third party library or software used by the Avi Vantage product. Most of these vulnerabilities are associated with multiple CVEs. Each CVE is assigned a priority by the vendor. Avi determines the priority of the component/vulnerability based on the highest priority assigned to the CVEs and expects the respective vendor to develop, test, and release the security patch. Once the security patch is released by the vendor, Avi will resolve the vulnerability within the following timeframe:

  • High priority — Within two weeks of the security patch release.
  • Medium and low priority — Within the following quarter of the security patch release. For instance, if the security patch was released by the vendor in Q1, Avi will resolve the vulnerability by including the security patch in the product by the Q2 timeframe.

All these vulnerabilities will be resolved by including the vendor provided security patch in either the periodic maintenance release or a Avi Vantage software patch.

Component Description Priority Related CVEs Links Resolved from Avi Security Bulletins
Cyrus SASL Vulnerability in the `cyrus-sasl` library Low CVE-2019-19906 Avi Vantage is not impacted
NSS Stack Vulnerability in certain apps incorrectly using crypto APIs in the NSS stack Low CVE-2019-11745 Avi Vantage is not impacted.
ModSecurity DoS Vulnerability in ModSecurity Low CVE-2020-15598 Avi Vantage is not impacted
OpenSSL Raccoon Attack Low CVE-2020-1968 Avi Vantage is not impacted
OpenSSL Segmentation fault in SSL_check_chain High CVE-2020-1967 Avi Vantage is not impacted
Linux kernel vulnerabilities SACK panic High CVE-2019-11477 USN-4017-1 18.2.8
Linux kernel vulnerabilities SACK slowness (Linux < 4.15) or excess resource usage (all Linux versions) High CVE-2019-11478 USN-4017-1 18.2.8
FreeBSD Vulnerability SACK Slowness (FreeBSD 12 using the RACK TCP Stack) Medium CVE-2019-11815 No patches required. See [B]
Linux kernel vulnerabilities Excess resource consumption due to low MSS values (all Linux versions) Medium CVE-2019-11479 18.2.8
Linux kernel (Azure) vulnerabilities Several security issues were fixed in the Linux kernel. Low CVE-2018-10876
CVE-2018-10877
CVE-2018-10878
CVE-2018-10879
CVE-2018-10880
CVE-2018-10882
CVE-2018-10883
CVE-2018-14625
CVE-2018-16882
CVE-2018-17972
CVE-2018-18281
CVE-2018-19407
CVE-2018-9516
USN-3871-5 18.2.2
17.2.15
OpenSSH vulnerabilities Several security issues were fixed in OpenSSH. Low CVE-2018-20685
CVE-2019-6109
CVE-2019-6111
USN-3885-1 18.2.2
17.2.15
Linux kernel vulnerabilities Several security issues were fixed in the Linux kernel. Low CVE-2018-1066
CVE-2018-17972
CVE-2018-18281
CVE-2018-9568
USN-3880-1 18.2.2
17.2.15
Linux kernel (Xenial HWE) vulnerabilities Several security issues were fixed in the Linux kernel. Low CVE-2018-10883
CVE-2018-16862
CVE-2018-19407
CVE-2018-19824
CVE-2018-20169
USN-3879-2 18.2.2
17.2.15
Django vulnerability Django could be made to expose spoofed information over the network. Low CVE-2019-3498
USN-3851-1 18.2.1
17.2.15
Linux kernel (Xenial HWE) vulnerabilities Several security issues were fixed in the Linux kernel. Low CVE-2017-18174
CVE-2018-12896
CVE-2018-18690
CVE-2018-18710
USN-3848-2 18.1.5
Linux kernel vulnerabilities Several security issues were fixed in the Linux kernel. Low CVE-2017-2647
CVE-2018-10902
CVE-2018-12896
CVE-2018-14734
CVE-2018-16276
CVE-2018-18386
CVE-2018-18690
CVE-2018-18710
USN-3849-1 18.1.5
Linux kernel (Azure) vulnerabilities Several security issues were fixed in the Linux kernel. Low CVE-2018-10902
CVE-2018-12896
CVE-2018-14734
CVE-2018-16276
CVE-2018-18445
CVE-2018-18690
CVE-2018-18710
USN-3847-3 18.1.5
lxml vulnerability lxml could allow cross-site scripting (XSS) attacks. Low CVE-2018-19787 USN-3841-1 18.1.5
17.2.14
OpenSSL vulnerabilities Several security issues were fixed in OpenSSL. Low CVE-2018-0734
CVE-2018-0735
CVE-2018-5407
USN-3840-1 18.1.5
17.2.14
libssh regression USN-3795-1 and USN-3795-2 introduced a regression in libssh. Low USN-3795-3 18.1.5
17.2.14
OpenSSL vulnerabilities Several security issues were fixed in OpenSSL. Low CVE-2018-0495
CVE-2018-0732
CVE-2018-0737
USN-3692-1 18.1.2
17.2.12
OpenJDK 7 vulnerabilities Several security issues were fixed in OpenJDK 7. Medium CVE-2018-2790
CVE-2018-2794
CVE-2018-2795
CVE-2018-2796
CVE-2018-2797
CVE-2018-2798
CVE-2018-2799
CVE-2018-2800
CVE-2018-2814
CVE-2018-2815
USN-3691-1 17.2.12
Libgcrypt vulnerability Libgcrypt could be made to expose sensitive information. Low CVE-2018-0495 USN-3689-1 17.2.11
18.1.2
GnuPG vulnerabilities Several security issues were fixed in GnuPG. Medium CVE-2018-12020
CVE-2018-9234
USN-3675-1 17.2.12
18.1.2
elfutils vulnerabilities elfutils could be made to crash or consume resources if it opened a specially crafted file. Medium CVE-2016-10254
CVE-2016-10255
CVE-2017-7607
CVE-2017-7608
CVE-2017-7609
CVE-2017-7610
CVE-2017-7611
CVE-2017-7612
CVE-2017-7613
USN-3670-1 17.2.11
18.1.2
Linux kernel vulnerabilities Several security issues were addressed in the Linux kernel. Medium CVE-2017-12134
CVE-2017-13220
CVE-2017-13305
CVE-2017-17449
CVE-2017-18079
CVE-2017-18203
CVE-2017-18204
CVE-2017-18208
CVE-2017-18221
CVE-2018-3639
CVE-2018-8822
USN-3655-1 17.2.11
curl vulnerabilities Several security issues were fixed in curl. Medium CVE-2018-1000300
CVE-2018-1000301
USN-3648-1 17.2.11
Patch vulnerabilities Several security issues were fixed in Patch. Medium CVE-2016-10713
CVE-2018-1000156
CVE-2018-6951
USN-3624-1 17.2.9
Python Crypto vulnerability Python Crypto could expose sensitive information. Medium CVE-2018-6594 USN-3616-1 17.2.10
OpenSSL vulnerability OpenSSL could be made to crash if it received specially crafted network traffic. Medium CVE-2018-0739 USN-3611-1 17.2.8
Twisted vulnerability Twisted could be made to run programs if it received specially crafted network traffic. Low CVE-2016-1000111 USN-3585-1 17.2.8
DHCP vulnerabilities Several security issues were fixed in DHCP. Medium CVE-2016-2774
CVE-2017-3144
CVE-2018-5732
CVE-2018-5733
USN-3586-1 17.2.8
linux - Linux kernel Several security issues were addressed in the Linux kernel. High CVE-2017-5715
CVE-2017-5753
Ubuntu Wiki Spectre and Meltdown
USN-3542-1 17.2.6 Spectre and Meltdown
openssh - secure shell (SSH) for secure access to remote machines Several security issues were fixed in OpenSSH. Low CVE-2016-10009
CVE-2016-10010
CVE-2016-10011
CVE-2016-10012
CVE-2017-15906
USN-3538-1 17.2.6
eglibc - GNU C Library,glibc - GNU C Library Several security issues were fixed in the GNU C library. High CVE-2017-1000408
CVE-2017-1000409
CVE-2017-15670
CVE-2017-15804
CVE-2017-16997
CVE-2017-17426
CVE-2018-1000001
USN-3534-1 17.2.6
linux - Linux kernel Several security issues were fixed in the Linux kernel. High CVE-2017-5754 USN-3524-1 17.2.6 Spectre and Meltdown
curl - HTTP, HTTPS, and FTP client and client libraries curl could be made to crash or run programs if it received speciallycrafted network traffic. Medium CVE-2017-1000257 USN-3457-1 17.1.13
curl - HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. Medium CVE-2016-9586
CVE-2017-1000100
CVE-2017-1000101
CVE-2017-1000254
CVE-2017-7407
USN-3441-1 17.1.13
eglibc - GNU C Library,glibc - GNU C Library Several security issues were fixed in the GNU C Library. Medium CVE-2015-5180
CVE-2015-8982
CVE-2015-8983
CVE-2015-8984
CVE-2016-1234
CVE-2016-3706
CVE-2016-4429
CVE-2016-5417
CVE-2016-6323
USN-3239-1 16.4.3
gnutls26 - GNU TLS library GnuTLS could be made to hang if it received specially crafted networktraffic. Low CVE-2016-8610
USN-3183-2 16.4.3
curl - HTTP, HTTPS, and FTP client and client libraries Several security issues were fixed in curl. Medium CVE-2016-7141
CVE-2016-7167
CVE-2016-8615
CVE-2016-8616
CVE-2016-8617
CVE-2016-8618
CVE-2016-8619
CVE-2016-8620
CVE-2016-8621
CVE-2016-8622
CVE-2016-8623
CVE-2016-8624
USN-3123-1 16.3
ntp - Network Time Protocol daemon and utility programs Several security issues were fixed in NTP. Medium CVE-2015-7973
CVE-2015-7974
CVE-2015-7975
CVE-2015-7976
CVE-2015-7977
CVE-2015-7978
CVE-2015-7979
CVE-2015-8138
CVE-2015-8158
CVE-2016-0727
CVE-2016-1547
CVE-2016-1548
CVE-2016-1550
CVE-2016-2516
CVE-2016-2518
CVE-2016-4954
CVE-2016-4955
CVE-2016-4956
USN-3096-1 16.2.4
postgresql-9.1 - Object-relational SQL database,postgresql-9.3 - Object-relational SQL database,postgresql-9.5 - object-relational SQL database Several security issues were fixed in PostgreSQL. Medium CVE-2016-5423
CVE-2016-5424
USN-3066-1 16.2.2
openssh - secure shell (SSH) for secure access to remote machines Several security issues were fixed in OpenSSH. Medium CVE-2016-6210
CVE-2016-6515
USN-3061-1 16.2.2
openssh - secure shell (SSH) for secure access to remote machines Several security issues were fixed in OpenSSH. Low CVE-2015-8325
CVE-2016-1907
CVE-2016-1908
CVE-2016-3115
USN-2966-1 16.1.3
openssl - Secure Socket Layer (SSL) cryptographic library and tools Several security issues were fixed in OpenSSL. High CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
USN-2959-1 16.2.1 ROBOT (CVE-2017-6168)
eglibc - GNU C Library,glibc - GNU C Library GNU C Library could be made to crash or run programs if it receivedspecially crafted network traffic. High CVE-2015-7547 USN-2900-116.1.3
linux - Linux kernel The system could be made to crash or run programs as an administrator. High CVE-2016-0728 USN-2870-1 15.3.1




Footnotes:

[A]. Patch to disable SACK processing in Linux stack will be available by early July 2019. Patch from Canonical will be packaged in 18.2.5 (July 29th 2019).

[B]. User space IP stack used for VIP traffic does not use RACK. No additional patch required.

[C]. Awaiting fixes from Canonical.

Document Revision History

Date Change Summary
September 16, 2020 Added the DoS Vulnerability (CVE-2020-15598) in ModSecurity
September 16, 2020 Added the Raccoon Attack in CVE-2020-1968 vulnerability
April 21, 2020 Added OpenSSL vulnerability CVE-2020-1967