-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --------------------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0013 Severity: Important Synopsis: VMware Identity Manager and vRealize Automation updates address multiple security issues Issue date: 2016-08-23 Updated on: 2016-08-23 (Initial Advisory) CVE number: CVE-2016-5335, CVE-2016-5336 1. Summary VMware Identity Manager and vRealize Automation updates address multiple security issues 2. Relevant Products VMware Identity Manager vRealize Automation 3. Problem Description a. VMware Identity Manager local privilege escalation vulnerability VMware Identity Manager and vRealize Automation both contain a vulnerability that may allow for a local privilege escalation. Exploitation of this issue may lead to an attacker with access to a low-privileged account to escalate their privileges to that of root. The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved the identifier CVE-2016-5335 for this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. Product Running Replace with/ VMWare Product Version on Severity Apply Patch Workaround ======================= ======= ======= ========= ============= ========== VMware Identity Manager 2.x VA Important 2.7 None vRealize Automation 7.0.x VA Important 7.1 None vRealize Automation 6.x VA N/A not affected N/A b. vRealize Automation remote code execution vulnerability vRealize Automation contains a vulnerability that may allow for remote code execution. Exploitation of this issue may lead to an attacker gaining access to a low-privileged account on the appliance. The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved the identifier CVE-2016-5336 for this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. Product Running Replace with/ VMware Product Version on Severity Apply Patch Workaround ==================== ======= ======= ========= ============= ========== vRealize Automation 7.0.x VA Important 7.1 KB2146585 vRealize Automation 6.x VA N/A not affected N/A 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Identity Manager 2.7 Downloads and Documentation: https://my.vmware.com/en/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/2_7 vRealize Automation 7.1 Downloads and Documentation: https://my.vmware.com/group/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_1#product_downloads 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5335 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5336 https://kb.vmware.com/kb/2146585 - ------------------------------------------------------------------------ 6. Change log 2016-08-23 VMSA-2016-0013 Initial security advisory in conjunction with the release of vRealize Automation 7.1 on 2016-08-23. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAle87+0ACgkQDEcm8Vbi9kM5hACgrcP4CZ4GP9NNb4xOxMn8aYlf k6cAoOU8g7q828Rm0G9saFkiqpUIkYO5 =xHRV -----END PGP SIGNATURE-----