exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Security Advisory 2018-0006

VMware Security Advisory 2018-0006
Posted Jan 26, 2018
Authored by VMware | Site vmware.com

VMware Security Advisory 2018-0006 - vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities.

tags | advisory, vulnerability
advisories | CVE-2017-4947, CVE-2017-4951
SHA-256 | a7f5423f8c7f90cafb0c91ed85894d3602ee3b38644e311a2ffdc0c540119c74

VMware Security Advisory 2018-0006

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2018-0006
Severity: Critical
Synopsis: vRealize Automation, vSphere Integrated Containers, and
AirWatch Console updates address multiple security
vulnerabilities
Issue date: 2018-01-26
Updated on: 2018-01-26 (Initial Advisory)
CVE number: CVE-2017-4947, CVE-2017-4951

1. Summary

vRealize Automation, vSphere Integrated Containers, and AirWatch
Console updates address multiple security vulnerabilities

2. Relevant Products

vRealize Automation (vRA)
vSphere Integrated Containers (VIC)
VMware AirWatch Console (AWC)

3. Problem Description

a) vRealize Automation and vSphere Integrated Containers
deserialization vulnerability via Xenon

vRealize Automation and vSphere Integrated Containers contain a
deserialization vulnerability via Xenon. Successful exploitation of
this issue may allow remote attackers to execute arbitrary code on
the appliance.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4947 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
========== ======= ======= ======== ================ ==========
vRA 7.3 Linux Critical KB52326, KB52316 None
vRA 7.2 Linux Critical KB52320 None
vRA 7.1.x Linux N/A not affected None
vRA 7.0.x Linux N/A not affected None
vRA 6.x Linux N/A not affected None
VIC 1.x Linux Critical 1.3.0 None

b) VMware AirWatch Console Cross Site Request Forgery (CSRF)

VMware AirWatch Console contains a Cross Site Request Forgery
vulnerability when accessing the App Catalog. An attacker may
exploit this issue by tricking users into installing a malicious
application on their devices.

VMware would like to thank Abhishek Vijay Nayak for reporting this
issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2017-4951 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
========== ======= ======= ========= ============== ==========
AWC 9.2.x Any Important 9.2.2 None
AWC 9.1.x Any Important 9.1.5 None


4. Solution

Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.

VMware vRealize Automation 7.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations
_management/vmware_vrealize_automation/7_3
https://docs.vmware.com/en/vRealize-Automation/index.html

VMware vRealize Automation 7.2
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/infrastructure_operations
_management/vmware_vrealize_automation/7_2
https://docs.vmware.com/en/vRealize-Automation/index.html

VMware vSphere Integrated Containers 1.3
Downloads and Documentation:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_
infrastructure/vmware_vsphere_integrated_containers/1_3
https://www.vmware.com/support/pubs/vsphere-integrated-containers
-pubs.html

VMware AirWatch Console 9.2.2
Downloads and Documentation:
https://support.air-watch.com/articles/115015625647

VMware AirWatch Console 9.1.5
Downloads and Documentation:
https://my.air-watch.com/products/AirWatch-Console/Windows/v9.1.0.0

5. References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4947
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4951
https://kb.vmware.com/s/article/52326
https://kb.vmware.com/s/article/52316
https://kb.vmware.com/s/article/52320


- -----------------------------------------------------------------------

6. Change log

2018-01-26: VMSA-2018-0006
Initial security advisory in conjunction with the release of vRA
7.3 and 7.2 patches on 2018-01-26.

- ------------------------------------------------------------------------

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2018 VMware Inc. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaav9IDEcm8Vbi9kMRArt2AJ0QlLkS9Nk9deoWZfuUwh0/tPRDlACfTO2t
E+vpwz2XHE62PFzDUQIeRFs=
=iGI+
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close