[Security-announce] NEW VMSA-2018-0023 AirWatch Agent and VMware Content Locker updates resolve data protection vulnerabilities


–===============4185444303298213663==
Content-Language: en-US
Content-Type: multipart/alternative;
boundary=”_000_BY1PR0501MB14462CCAE99EE1E1E67AC9C9CD020BY1PR0501MB1446_”

–_000_BY1PR0501MB14462CCAE99EE1E1E67AC9C9CD020BY1PR0501MB1446_
Content-Type: text/plain; charset=”us-ascii”
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

– ————————————————————————
VMware Security Advisory

Advisory ID: VMSA-2018-0023
Severity: Low
Synopsis: AirWatch Agent and VMware Content Locker updates resolve
data protection vulnerabilities.
Issue date: 2018-09-05
Updated on: 2018-09-05 (Initial Advisory)
CVE number: CVE-2018-6975
CVE-2018-6976

1. Summary

AirWatch Agent and VMware Content Locker updates resolve data
protection vulnerabilities.

2. Relevant Products

AirWatch Agent for iOS (A/W Agent)
VMware Content Locker for iOS (A/W Locker)

3. Problem Description

a. The AirWatch Agent for iOS devices contains a data
protection vulnerability

The AirWatch Agent for iOS devices contains a data protection
vulnerability whereby the files and keychain entries in the Agent are
not encrypted.

VMware would like to thank Stephan Sekula of Compass Security for
reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-6975 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
A/W Agent x.x iOS Low 5.8.1 None

b. The VMware Content Locker for iOS devices contains a data
protection vulnerability

The VMware Content Locker for iOS devices contains a data protection
vulnerability in the SQLite database. This vulnerability relates to
unencrypted filenames and associated metadata in SQLite database for
the Content Locker.

VMware would like to thank Stephan Sekula of Compass Security for
reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2018-6976 to this issue.

Column 5 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.

VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=
=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
A/W Locker x.x iOS Low 4.14 N=
one

4. Solution

AirWatch Agent for iOS 5.8.1
Downloads and Documentation:
https://itunes.apple.com/us/app/airwatch-agent/id338761996?mt=3D8

VMware Content Locker for iOS 4.14
Downloads and Documentation:
https://itunes.apple.com/us/app/vmware-content-locker/id525890839?mt=3D8

5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6976

– ————————————————————————

6. Change log

2018-09-05: Initial security advisory in conjunction with the release
of VMware Content Locker for iOS 4.14 on 2018-09-05

– ————————————————————————

7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org

E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter

Copyright 2018 VMware Inc. All rights reserved.

—–BEGIN PGP SIGNATURE—–
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFbj7R3DEcm8Vbi9kMRAlpuAJ0eOiXkLtOK1A7zFwo0knFmzSRW/wCgibMB
aId87Av2WFMpTiIEkrXPOMY=3D
=3DbxYL
—–END PGP SIGNATURE—–

–_000_BY1PR0501MB14462CCAE99EE1E1E67AC9C9CD020BY1PR0501MB1446_
Content-Type: text/html; charset=”us-ascii”
Content-Transfer-Encoding: quoted-printable

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

 

– ————————————————–=
———————-

        &nbs=
p;            &=
nbsp;  VMware Security Advisory

 

Advisory ID: VMSA-2018-0023

Severity:    Low

Synopsis:    AirWatch Agent and VMwar=
e Content Locker updates resolve

        &nbs=
p;    data protection vulnerabilities.

Issue date:  2018-09-05

Updated on:  2018-09-05 (Initial Advisory)=

CVE number:  CVE-2018-6975

        &nbs=
p;            CVE-2018-69=
76

 

1. Summary

 

   AirWatch Agent and VMware Content Locke=
r updates resolve data

   protection vulnerabilities.

 

2. Relevant Products

 

   AirWatch Agent for iOS (A/W Agent)=

   VMware Content Locker for iOS (A/W Lock=
er)

 

3. Problem Description

 

   a. The AirWatch Agent for iOS devices c=
ontains a data

   protection vulnerability

  

   The AirWatch Agent for iOS devices=
contains a data protection

   vulnerability whereby the files an=
d keychain entries in the Agent are

   not encrypted.

 

   VMware would like to thank Stephan Seku=
la of Compass Security for

   reporting this issue to us.

  

   The Common Vulnerabilities and Exp=
osures project (cve.mitre.org) has

   assigned the identifier CVE-2018-6975 t=
o this issue.

 

   Column 5 of the following table lists t=
he action required to

   remediate the vulnerability in each rel=
ease, if a solution is

   available.

 

   VMware      Pr=
oduct   Running        &n=
bsp;  Replace with/     Mitigation/

   Product     Version=
   on      Severity  Apply Patch&nb=
sp;      Workaround

   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D

   A/W Agent   x.x  &n=
bsp;    iOS     Low   &nb=
sp;   5.8.1         =
    None

 

   b. The VMware Content Locker for i=
OS devices contains a data

   protection vulnerability

  

   The VMware Content Locker for iOS =
devices contains a data protection

   vulnerability in the SQLite databa=
se. This vulnerability relates to

   unencrypted filenames and associat=
ed metadata in SQLite database for

   the Content Locker.

 

   VMware would like to thank Stephan Seku=
la of Compass Security for

   reporting this issue to us.

 

   The Common Vulnerabilities and Exposure=
s project (cve.mitre.org) has

   assigned the identifier CVE-2018-6976 t=
o this issue.

 

   Column 5 of the following table lists t=
he action required to

   remediate the vulnerability in eac=
h release, if a solution is

   available.

 

   VMware      Pr=
oduct   Running        &n=
bsp;  Replace with/     Mitigation/

   Product     Version=
   on      Severity  Apply Patch&nb=
sp;      Workaround

   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=
=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D

   A/W Locker  x.x    =
          iOS  &nbsp=
;     Low        &nb=
sp; 4.14           &=
nbsp;  None

 

4. Solution

 

  AirWatch Agent for iOS 5.8.1

  Downloads and Documentation:

 
https://itunes.apple.com/us/app/airwatch-agent/id338761996?mt=3D8

        &nbs=
p;      

  VMware Content Locker for iOS 4.14=

  Downloads and Documentation:

 
https://itunes.apple.com/us/app/vmware-content-locker/id525890839?mt=3D8

 

5. References

 

  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6975

  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-6976

 

– ————————————————–=
———————-

 

6. Change log

 

   2018-09-05: Initial security advisory i=
n conjunction with the release

   of VMware Content Locker for iOS 4.14 o=
n 2018-09-05

 

– ————————————————–=
———————-

 

7. Contact

 

   E-mail list for product security notifi=
cations and announcements:

  
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
=

 

   This Security Advisory is posted to the=
following lists:

 

    security-announce@lists.vmware.com

    bugtraq@securityfocus.com

    fulldisclosure@seclists.org

 

   E-mail: security at vmware.com

   PGP key at: https://kb.vmware.com/kb/1055

 

   VMware Security Advisories

   http://www.vmware.com/security/advisories

 

   VMware Security Response Policy

  
https://www.vmware.com/support/policies/security_response.html

 

   VMware Lifecycle Support Phases

  
https://www.vmware.com/support/policies/lifecycle.html

 

   VMware Security & Compliance Blog&n=
bsp; 

   https://blogs.vmware.com/security

 

   Twitter

   https://twitter.com/VMwareSRC

 

   Copyright 2018 VMware Inc. All rights r=
eserved.

 

—–BEGIN PGP SIGNATURE—–

Version: Encryption Desktop 10.4.1 (Build 490)

Charset: utf-8

 

wj8DBQFbj7R3DEcm8Vbi9kMRAlpuAJ0eOiXkLtOK1A7zFwo0knFm=
zSRW/wCgibMB

aId87Av2WFMpTiIEkrXPOMY=3D

=3DbxYL

—–END PGP SIGNATURE—–

 

–_000_BY1PR0501MB14462CCAE99EE1E1E67AC9C9CD020BY1PR0501MB1446_–

–===============4185444303298213663==
Content-Type: text/plain; charset=”us-ascii”
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce

–===============4185444303298213663==–