Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

VMware Patches Critical Harbor Vulnerability

VMware this week released patches to address a critical vulnerability in Harbor, which was found to impact VMware Cloud Foundation and VMware Harbor Container Registry for PCF.

VMware this week released patches to address a critical vulnerability in Harbor, which was found to impact VMware Cloud Foundation and VMware Harbor Container Registry for PCF.

Harbor is an open source registry project for storing, signing and scanning container images for vulnerabilities. It integrates with Docker Hub, Docker Registry, Google Container Registry, and more, and allows users to easily download, upload, and scan images.

Tracked as CVE-2019-16097, the issue, a remote escalation of privilege, could result in attackers completely compromising vulnerable Harbor deployments.

Last week, Palo Alto Networks revealed that it had found over 1,300 Harbor registries exposed to the Internet with default settings, meaning that all were impacted by the vulnerability.

By exploiting the bug, attackers could download private projects, delete images in the registry, or replace them with poisoned ones.

In its advisory, VMware explains that the security flaw resides in the POST /api/users API of Harbor.

With a CVSSv3 base score of 9.8 and rated Critical, the vulnerability could allow a malicious actor with network access to the Harbor POST /api/users API to self-register a new administrative account.

“Successful exploitation of this issue may lead to a complete compromise of the Harbor deployment,” VMware explains.

VMware has released patches to address the vulnerability in VMware Harbor Container Registry for PCF (versions 1.8.3 and 1.7.6), but has yet to address it in VMware Cloud Foundation (which is affected only if the optional ‘Harbor Registry’ component has been deployed).

A workaround for this vulnerability also exists: users can disable self-registration in Harbor.

Related: Critical Vulnerability Exposes Harbor Registries to Attacks

Related: VMWare to Acquire Endpoint Security Firm Carbon Black

Related: VMware Unveils Security Enhancements in Virtual Cloud Network Offering

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.