[Security-announce] NEW VMSA-2018-0009 vRealize Automation updates address multiple security issues

\n\n–===============1159084181644537805==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary=”_000_BN3PR05MB25160C4623CDA6A1078683EAB1BC0BN3PR05MB2516namp_”

–_000_BN3PR05MB25160C4623CDA6A1078683EAB1BC0BN3PR05MB2516namp_
Content-Type: text/plain; charset=”us-ascii”
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ————————————————————————

VMware Security Advisory

Advisory ID: VMSA-2018-0009
Severity: Important
Synopsis: vRealize Automation updates address
multiple security issues.
Issue date: 2018-04-12
Updated on: 2018-04-12 (Initial Advisory)
CVE number: CVE-2018-6958, CVE-2018-6959

1. Summary

vRealize Automation (vRA) updates address
multiple security issues.

2. Relevant Products

vRealize Automation (vRA)

3. Problem Description

a. DOM-based cross-site scripting (XSS) vulnerability

VMware vRealize Automation contains a vulnerability that may allow
for a DOM-based cross-site scripting (XSS) attack. Exploitation of
this issue may lead to the compromise of the vRA user’s workstation.

VMware would like to thank Oliver Matula and Benjamin Schwendemann
of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-6958 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
vRA 7.3.x VA Important 7.3.1 None
vRA 7.2.x VA Important 7.3.1 None
vRA 7.1.x VA Important 7.3.1 None
vRA 7.0.x VA Important 7.3.1 None
vRA 6.2.x VA N/A not affected N/A

b. Missing renewal of session tokens vulnerability

VMware vRealize Automation contains a vulnerability in the handling
of session IDs. Exploitation of this issue may lead to the hijacking
of a valid vRA user’s session.

VMware would like to thank Oliver Matula and Benjamin Schwendemann
of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-6959 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
vRA 7.3.x VA Moderate 7.4.0 None
vRA 7.2.x VA Moderate 7.4.0 None
vRA 7.1.x VA Moderate 7.4.0 None
vRA 7.0.x VA Moderate 7.4.0 None
vRA 6.2.x VA N/A not affected N/A

4. Solution

Please review the patch/release notes for your product and version and
verify the checksum of your downloaded file.

vRealize Automation 7.3.1
Downloads:
https://my.vmware.com/web/vmware/info/slug/
infrastructure_operations_management/vmware_vrealize_automation/7_3
Documentation:
https://docs.vmware.com/en/vRealize-Automation/index.html

vRealize Automation 7.4.0
Downloads:
https://my.vmware.com/web/vmware/info/slug/
infrastructure_operations_management/vmware_vrealize_automation/7_4
Documentation:
https://docs.vmware.com/en/vRealize-Automation/index.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6959

– ————————————————————————-

6. Change log

2018-04-12 VMSA-2018-0009
Initial security advisory in conjunction with the release of
vRealize Automation 7.4.0 on 2018-04-12

– ————————————————————————-
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org

E-mail: security@vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter

Copyright 2018 VMware Inc. All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaz10uDEcm8Vbi9kMRAvTKAKD3Iwy3sJANhn+Sqf9TQJ0aYh31JQCgsYat
ElKsG4vJEpt+AhOtn8em1yU=3D
=3Dn+Gt
—–END PGP SIGNATURE—–

–_000_BN3PR05MB25160C4623CDA6A1078683EAB1BC0BN3PR05MB2516namp_
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

 

– ————————————————–=
———————-

 

        &nbs=
p;            &=
nbsp;         VMware Security Advis=
ory

 

Advisory ID: VMSA-2018-0009

Severity:    Important

Synopsis:    vRealize Automation upda=
tes address

        &nbs=
p;    multiple security issues.

Issue date:  2018-04-12

Updated on:  2018-04-12 (Initial Advisory)=

CVE number:  CVE-2018-6958, CVE-2018-6959

 

1. Summary

 

   vRealize Automation (vRA) updates addre=
ss

   multiple security issues.

 

2. Relevant Products

 

   vRealize Automation (vRA)

 

3. Problem Description

 

   a. DOM-based cross-site scripting (XSS)=
vulnerability

  

   VMware vRealize Automation contain=
s a vulnerability that may allow

   for a DOM-based cross-site scripti=
ng (XSS) attack. Exploitation of

   this issue may lead to the comprom=
ise of the vRA user’s workstation.

  

   VMware would like to thank Oliver =
Matula and Benjamin Schwendemann

   of ERNW Enno Rey Netzwerke GmbH fo=
r reporting this issue to us.

 

   The Common Vulnerabilities and Exposure=
s project (cve.mitre.org) has

   assigned the identifier CVE-2018-6958 t=
o this issue.

 

   Column 5 of the following table lists t=
he action required to

   remediate the vulnerability in each rel=
ease, if a solution is

   available.

 

   VMware      Pr=
oduct    Running        &=
nbsp;   Replace with/     Mitigation/

   Product     Version=
    on       Severity  Ap=
ply Patch       Workaround

   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  =
=3D=3D=3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=
=3D=3D=3D=3D  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

   vRA      =
   7.3.x      VA    =
   Important 7.3.1       &nbs=
p;      None

   vRA     &=
nbsp;   7.2.x      VA   &=
nbsp;   Important 7.3.1       =
       None

   vRA      =
   7.1.x      VA    =
   Important 7.3.1       &nbs=
p;      None

   vRA     &=
nbsp;   7.0.x      VA   &=
nbsp;   Important 7.3.1       =
       None

   vRA      =
   6.2.x      VA    =
   N/A       not affected &nbs=
p;     N/A

        &nbs=
p;            &=
nbsp;           &nbs=
p;            &=
nbsp;

  

   b. Missing renewal of session toke=
ns vulnerability

 

   VMware vRealize Automation contains a v=
ulnerability in the handling

   of session IDs. Exploitation of th=
is issue may lead to the hijacking

   of a valid vRA user’s session.

 

   VMware would like to thank Oliver Matul=
a and Benjamin Schwendemann

   of ERNW Enno Rey Netzwerke GmbH fo=
r reporting this issue to us.

 

   The Common Vulnerabilities and Exposure=
s project (cve.mitre.org) has

   assigned the identifier CVE-2018-6959 t=
o this issue.

 

   Column 5 of the following table lists t=
he action required to

   remediate the vulnerability in each rel=
ease, if a solution is

   available.

 

   VMware      Pr=
oduct    Running       &n=
bsp;    Replace with/     Mitigation/

   Product     Version=
    on       Severity  Ap=
ply Patch       Workaround

   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  =
=3D=3D=3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=3D=3D=3D  =3D=3D=3D=3D=
=3D=3D=3D=3D  =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

   vRA      =
   7.3.x      VA    =
   Moderate  7.4.0      &nbsp=
;       None

   vRA     &=
nbsp;   7.2.x      VA   &=
nbsp;   Moderate  7.4.0      &=
nbsp;       None

   vRA      =
   7.1.x      VA    =
   Moderate  7.4.0      &nbsp=
;       None

   vRA     &=
nbsp;   7.0.x      VA   &=
nbsp;   Moderate  7.4.0      &=
nbsp;       None

   vRA      =
   6.2.x      VA    =
   N/A       not affected &nbs=
p;     N/A 

 

  

4. Solution

 

   Please review the patch/release notes f=
or your product and version and

   verify the checksum of your downloaded =
file.

 

   vRealize Automation 7.3.1

   Downloads:

   https://my.vmware.com/web/vmware/info/s=
lug/

   infrastructure_operations_management/vm=
ware_vrealize_automation/7_3  

   Documentation:

   https://docs.vmware.com/en/vRealize-Aut=
omation/index.html

  

   vRealize Automation 7.4.0

   Downloads:

   https://my.vmware.com/web/vmware/info/s=
lug/

   infrastructure_operations_management/vm=
ware_vrealize_automation/7_4

   Documentation:

   https://docs.vmware.com/en/vRealize-Aut=
omation/index.html

   

   

5. References

 

   http://cve.mitre.org/cgi-bin/cvename.cg=
i?name=3DCVE-2018-6958

   http://cve.mitre.org/cgi-bin/cvename.cg=
i?name=3DCVE-2018-6959

    

– ————————————————–=
———————–

 

6. Change log

 

   2018-04-12 VMSA-2018-0009

   Initial security advisory in conjunctio=
n with the release of

   vRealize Automation 7.4.0 on 2018-=
04-12

 

– ————————————————–=
———————–

7. Contact

 

   E-mail list for product security notifi=
cations and announcements:

   http://lists.vmware.com/cgi-bin/mailman=
/listinfo/security-announce

 

   This Security Advisory is posted to the=
following lists:

  

     security-announce@list=
s.vmware.com

     bugtraq@securityfocus.com

     fulldisclosure@seclists.org=

 

   E-mail: security@vmware.com

   PGP key at: https://kb.vmware.com/kb/10=
55

 

   VMware Security Advisories

   http://www.vmware.com/security/advisori=
es

 

   VMware Security Response Policy

   https://www.vmware.com/support/policies=
/security_response.html

 

   VMware Lifecycle Support Phases

   https://www.vmware.com/support/policies=
/lifecycle.html

  

   VMware Security & Compliance B=
log

   https://blogs.vmware.com/security

 

   Twitter

   https://twitter.com/VMwareSRC

 

   Copyright 2018 VMware Inc.  All ri=
ghts reserved.

 

—–BEGIN PGP SIGNATURE—–

Version: Encryption Desktop 10.4.1 (Build 490)

Charset: utf-8

 

wj8DBQFaz10uDEcm8Vbi9kMRAvTKAKD3Iwy3sJANhn+Sqf9T=
QJ0aYh31JQCgsYat

ElKsG4vJEpt+AhOtn8em1yU=3D

=3Dn+Gt

—–END PGP SIGNATURE—–

–_000_BN3PR05MB25160C4623CDA6A1078683EAB1BC0BN3PR05MB2516namp_–

–===============1159084181644537805==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce

–===============1159084181644537805==–