Introduction: Open Virtualization Format. Open Virtualization Format (OVF) is an open standard for packaging and distributing virtual appliances or, more generally, software to be run in virtual machine.
Synopsis: Open Virtualization Format provides the ability to let a virtual appliance and run it on different vendors of virtual machine. For example: Vmware.
Two of the vulnerabilities, CVE-2019-5532 and CVE-2019-5534, are rated “important” by VMware. They are all belongs to OVF technology domain.
- CVE-2019-5534 – expose login information via the virtual machine’s vAppConfig properties.
- CVE-2019-5532 – malicious user with access to the log files have view the credentials used to deploy the OVF.
Official announcement: Please refer to the url https://www.vmware.com/security/advisories/VMSA-2019-0013.html
Perhaps more risk will be occured on “OVF” not only the vulnerabilities alert by VMware this week. The OVA files can carry malicious code to any virtual machine OS; even mere data files of a certain complexity can effectively launch exploits.