VMware Security Announcement VMSA-2020-0003

VMSA-2020-0003 - vRealize Operations for Horizon Adapter updates address multiple security vulnerabilities (CVE-2020-3943,CVE-2020-3944, CVE-2020-3945)

vRealize Operations for Horizon Adapter remote code execution vulnerability (CVE-2020-3943)

vRealize Operations for Horizon Adapter contains multiple security vulnerabilities.  Patches are available to remediate these vulnerabilities in affected VMware products.

vRealize Operations for Horizon Adapter uses a JMX RMI service which is not securely configured. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.0.

Known Attack Vectors:

An unauthenticated remote attacker who has network access to vRealize Operations, with the Horizon Adapter running, may be able to execute arbitrary code in vRealize Operations.

vRealize Operations for Horizon Adapter authentication bypass vulnerability (CVE-2020-3944)

vRealize Operations for Horizon Adapter has an improper trust store configuration leading to authentication bypass. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.

Known Attack Vectors:

An unauthenticated remote attacker who has network access to vRealize Operations, with the Horizon Adapter running, may be able to bypass Adapter authentication.

vRealize Operations for Horizon Adapter information disclosure vulnerability (CVE-2020-3945)

vRealize Operations for Horizon Adapter contains an information disclosure vulnerability due to incorrect pairing implementation between the vRealize Operations for Horizon Adapter and Horizon View. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors:

An unauthenticated remote attacker who has network access to vRealize Operations, with the Horizon Adapter running, may obtain sensitive information which can be used to bypass the adapter authentication mechanism.

The link below has all the details and download links to the software updates.

https://www.vmware.com/security/advisories/VMSA-2020-0003.html