July 2, 2019 FN21
Man-in-the-middle Vulnerability related to vCenter [CVE-2019-11242]
A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCenter.
This vulnerability could expose Cohesity user credentials configured to access vCenter. Exposure is limited to vCenter only environments that have strict TLS certificate requirements.
To remediate the vulnerability, Cohesity recommends upgrading to Cohesity DataPlatform 6.1.1e or above. Customers currently on release 6.1.1c or above are not vulnerable to this issue and can disregard this notice.
Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support.
Missing SSL Certificate Validation
Vendor of Product
Affected Product Code Base
Cohesity DataPlatform - Affected versions are Cohesity DataPlatform versions 5.x, 6.x prior to 6.1.1c. This is remediated in versions 6.1.1c and 6.2.
Impact Information Disclosure
To exploit the vulnerability, someone must be able to present the Cohesity cluster with a forged vCenter TLS certificate.
Has vendor confirmed or acknowledged the vulnerability?
Cohesity acknowledges the efforts of Karlsruhe Institute of Technology researcher Thorsten Tuellmann who identified the vulnerability and participated in its responsible disclosure.