Avi Networks Security Bulletins
Note
This page has been archived as of October 15, 2020. Going forward, security advisories related to Avi Vantage (now VMware NSX Advanced Load Balancer, NSX ALB) will be available at the VMware Security Advisories page.
See also: Security Advisory Notice (for latest release)
| Name | Summary |
|---|---|
| DoS Vulnerability (CVE-2020-15598) in ModSecurity |
Avi Vantage version 17.2.8 and above are not impacted. Avi made changes to the underlying ModSecurity code to avoid performance and potential DoS issues. As part of those changes, the logic in the code base was updated to not do multiple regex matches. This fix was applied to 17.2.8 releases and above. To summarize, the following is the analysis for specific Avi versions: Avi Vantage Version 20.1.x Avi has customised the underlying ModSecurity code over the last few years. Therefore, it is not impacted. Avi Vantage Versions 18.2.x and 17.2.x (17.2.8+) Avi has customised the underlying ModSecurity code over last few years. Therefore, it is not impacted. Avi Vantage version 17.2.x (Pre 17.2.8) Avi versions prior to 17.2.8 may be impacted. Note: As Avi Vantage version 17.2.x is end of support, it is strongly recommended to upgrade to a newer release. Refer to the Upgrade article for more information. |
| Raccoon Attack in CVE-2020-1968 | Avi Vantage is not impacted. Avi Vantage Version 20.1.x Avi Controllers use OpenSSL version 1.0.2g. However, Avi configuration does not allow the use of DH based cipher suites. Hence, the Avi Controller is not affected. Avi Service Engines use OpenSSL versions 1.0.2g as well as base OpenSSL version 1.1.1.
Avi Vantage Version 18.2.x (18.2.6 and above) Avi Controllers use OpenSSL version 1.0.2g. However, Avi configuration does not allow the use of DH based cipher suites. Hence, the Avi Controller is not affected. Avi Service Engines use OpenSSL versions 1.0.2g as well as base OpenSSL version 1.1.1.
Avi Vantage Version 18.2.x (18.2.5 and below) Avi Controllers and Service Engines use OpenSSL version 1.0.2g. However, Avi configuration does not allow the use of DH based cipher suites. Hence, the Avi Controller and Service Engine are not affected. Avi Vantage version 17.2.x Avi Controllers and Service Engines use OpenSSL version 1.0.2g. However, Avi configuration does not allow the use of DH based cipher suites. Hence, the Avi Controller and Service Engine are not affected. Note: Avi Vantage version 17.2.x has reached the end of support. Customers are recommended to upgrade to a supported version for continued support and software updates. |
| Access to Avi Controller file system and system calls via Avi DataScripts |
|
| Segmentation fault in SSL_check_chain - CVE-2020-1967 | Avi Vantage is not impacted. Avi Controller uses OpenSSL version 1.0.2g and is not affected by this vulnerability. Avi Service Engine uses OpenSSL version 1.0.2g as well as base OpenSSL version 1.1.1. Both these OpenSSL versions are not affected by this vulnerability. |
| ROBOT | Avi Vantage is not vulnerable to ROBOT attack, a variant of the Adaptive Chosen CipherText attack, aka Bleichenbacher attack. It targets weak implementations of RSA key exchange protocol. |
| Meltdown and Spectre | Avi Vantage running in a container or bare-metal environment is not impacted. When Avi Vantage Controller and Service Engine VMs run on Linux, Avi needs to update the kernel for SE and Controller images to include the kernel patches released by the Linux community. |
Document Revision History
| Date | Change Summary |
|---|---|
| September 16, 2020 | Added the DoS Vulnerability (CVE-2020-15598) in ModSecurity |
| September 16, 2020 | Added the Raccoon Attack in CVE-2020-1968 vulnerability |
| August 31, 2020 | Added DataScripts vulnerability |
| April 21, 2020 | Added OpenSSL vulnerability CVE-2020-1967 -“Segmentation fault in SSL_check_chain" |