Workaround for OpenSLP security vulnerability in Horizon DaaS appliances (CVE-2019-5544)
Article ID: 328526
Updated On:
Products
VMware
Issue/Introduction
CVE-2019-5544, a security vulnerability in OpenSLP, has been determined to affect Horizon DaaS appliances. This vulnerability and its effect on VMware products are documented in VMSA-2019-0022. Please review this advisory before continuing as there may be considerations outside the scope of this particular document.
The DaaS team has investigated CVE-2019-5544 and determined that the possibility of exploitation can be removed by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only - permanent fixes will be released as soon as they are available.
Warning:
This workaround is applicable ONLY to Horizon DaaS appliances. Do not apply this workaround to other VMware products.
Functionality Impacts:
There is no known functionality impact from applying the workaround described in this article.
The DaaS team has investigated CVE-2019-5544 and determined that the possibility of exploitation can be removed by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only - permanent fixes will be released as soon as they are available.
Warning:
This workaround is applicable ONLY to Horizon DaaS appliances. Do not apply this workaround to other VMware products.
Functionality Impacts:
There is no known functionality impact from applying the workaround described in this article.
Resolution
Note:
In order to remove the risk of exploitation of the OpenSLP security issue CVE-2019-5544 in a DaaS environment, the ESXi patches should be applied. For more information see VMware Security Advisory VMSA-2019-0022 .
To implement the workaround for CVE-2019-5544 perform the following steps:
- Download the workaround for the install version from the Customer Connect portal.
- Horizon DaaS 6.1.5 OpenSLP Hotfix
- Horizon DaaS 6.1.6 OpenSLP Hotfix
- Horizon DaaS 7.0.0 OpenSLP Hotfix
- Horizon DaaS 8.0.0 OpenSLP Hotfix
- Horizon DaaS 8.0.1 OpenSLP Hotfix
- Follow instructions provided in the Steps to follow section of the Readme.txt to apply the workaround to all management appliances in the DaaS deployments.
Note: The detailed help section in Readme.txt will provide guidance to the options that are available when the steps are executed.
To remove the workaround for CVE-2019-5544 at a later time perform the following steps:
The workaround is not known to impact any functionality, however, for any unforeseen reasons if there is a need to rollback then you can revert back to the snapshot taken at the start of the workaround as described in the Readme.txt.
For up-to-date information on CVE-2019-5544 as well as future security information please add your email address to the "Sign up for Security Advisories" window found in VMSA-2019-0022 .
Feedback
Yes
No
Powered by
