PT-2020-13064 · Silver Peak · Silver Peak Unity Orchestrator
Published
2020-11-05
·
Updated
2020-11-12
·
CVE-2020-12145
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Silver Peak Unity Orchestrator versions prior to 8.9.11+, 8.10.11+, or 9.0.1+
Description
The issue allows unauthorized access to the Orchestrator by manipulating HTTP headers to authenticate REST API calls from localhost. This can be achieved by introducing an HTTP HOST header set to 127.0.0.1 or localhost. Orchestrator instances hosted by customers, whether on-premise or in a public cloud provider, are affected.
Recommendations
For versions prior to 8.9.11+, update to version 8.9.11+ or later.
For versions prior to 8.10.11+, update to version 8.10.11+ or later.
For versions prior to 9.0.1+, update to version 9.0.1+ or later.
As a temporary workaround, consider restricting access to the REST API to minimize the risk of exploitation.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Silver Peak Unity Orchestrator