| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <61EDEDFD-BDE9-4461-B4DB-88DEB0BE0F22@vmware.com>
Date: Wed, 24 Aug 2016 01:06:20 +0000
From: VMware Security Response Center <security@...are.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [FD] NEW VMSA-2016-0013 - VMware Identity Manager and vRealize
Automation updates address multiple security issues
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2016-0013
Severity: Important
Synopsis: VMware Identity Manager and vRealize Automation updates address multiple
security issues
Issue date: 2016-08-23
Updated on: 2016-08-23 (Initial Advisory)
CVE number: CVE-2016-5335, CVE-2016-5336
1. Summary
VMware Identity Manager and vRealize Automation updates address multiple security
issues
2. Relevant Products
VMware Identity Manager
vRealize Automation
3. Problem Description
a. VMware Identity Manager local privilege escalation vulnerability
VMware Identity Manager and vRealize Automation both contain a vulnerability that
may allow for a local privilege escalation. Exploitation of this issue may lead to
an attacker with access to a low-privileged account to escalate their privileges to
that of root.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved
the identifier CVE-2016-5335 for this issue.
Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.
Product Running Replace with/
VMWare Product Version on Severity Apply Patch Workaround
======================= ======= ======= ========= ============= ==========
VMware Identity Manager 2.x VA Important 2.7 None
vRealize Automation 7.0.x VA Important 7.1 None
vRealize Automation 6.x VA N/A not affected N/A
b. vRealize Automation remote code execution vulnerability
vRealize Automation contains a vulnerability that may allow for remote code
execution. Exploitation of this issue may lead to an attacker gaining access to a
low-privileged account on the appliance.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has reserved
the identifier CVE-2016-5336 for this issue.
Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.
Product Running Replace with/
VMware Product Version on Severity Apply Patch Workaround
==================== ======= ======= ========= ============= ==========
vRealize Automation 7.0.x VA Important 7.1 KB2146585
vRealize Automation 6.x VA N/A not affected N/A
4. Solution
Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.
VMware Identity Manager 2.7
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/2_7
vRealize Automation 7.1
Downloads and Documentation:
https://my.vmware.com/group/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_1#product_downloads
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5335
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5336
https://kb.vmware.com/kb/2146585
- ------------------------------------------------------------------------
6. Change log
2016-08-23 VMSA-2016-0013 Initial security advisory in conjunction with the
release of vRealize Automation 7.1 on 2016-08-23.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iEYEARECAAYFAle87+0ACgkQDEcm8Vbi9kM5hACgrcP4CZ4GP9NNb4xOxMn8aYlf
k6cAoOU8g7q828Rm0G9saFkiqpUIkYO5
=xHRV
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists