VMware Patches Critical Harbor Vulnerability

VMware this week released patches to address a critical vulnerability in Harbor, which was found to impact VMware Cloud Foundation and VMware Harbor Container Registry for PCF.

Harbor is an open source registry project for storing, signing and scanning container images for vulnerabilities. It integrates with Docker Hub, Docker Registry, Google Container Registry, and more, and allows users to easily download, upload, and scan images.

Tracked as CVE-2019-16097, the issue, a remote escalation of privilege, could result in attackers completely compromising vulnerable Harbor deployments.

Last week, Palo Alto Networks revealed that it had found over 1,300 Harbor registries exposed to the Internet with default settings, meaning that all were impacted by the vulnerability.

By exploiting the bug, attackers could download private projects, delete images in the registry, or replace them with poisoned ones.

In its advisory, VMware explains that the security flaw resides in the POST /api/users API of Harbor.

With a CVSSv3 base score of 9.8 and rated Critical, the vulnerability could allow a malicious actor with network access to the Harbor POST /api/users API to self-register a new administrative account.

“Successful exploitation of this issue may lead to a complete compromise of the Harbor deployment,” VMware explains.

VMware has released patches to address the vulnerability in VMware Harbor Container Registry for PCF (versions 1.8.3 and 1.7.6), but has yet to address it in VMware Cloud Foundation (which is affected only if the optional ‘Harbor Registry’ component has been deployed).

A workaround for this vulnerability also exists: users can disable self-registration in Harbor.

Related: Critical Vulnerability Exposes Harbor Registries to Attacks

Related: VMWare to Acquire Endpoint Security Firm Carbon Black

Related: VMware Unveils Security Enhancements in Virtual Cloud Network Offering