VMware Security Announcement VMSA-2020-0016

Today VMWare announced VMSA-2020-0016. This advisory is for VMware SD-WAN by VeloCloud, it updates address SQL-injection vulnerability (CVE-2020-3973)

Impacted Products
  • VMware SD-WAN by VeloCloud (VeloCloud)

An SQL-injection vulnerability in VeloCloud was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. VMware-hosted VeloCloud Orchestrators have been patched for this issue.

Advisory Details


The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.5.

Known Attack Vendors

A malicious actor with tenant access to Velocloud Orchestrator could enter specially crafted SQL queries and obtain data to which they are not privileged.


To remediate CVE-2020-3973, Patch VeloCloud Orchestrator to 3.3.2 p2, 3.4.1 and above, or apply a patch to 3.2.2, 3.3.1, 3.3.2 or 3.4.0. Looks like a call to VMware Technical Support to obtain the required patch or version.


Fixed Version(s) and Release Notes

Here is the link to the official advisory;