VMware has released a new security advisory: “VMSA-2017-0020 – VMware AirWatch Console updates address Broken Access Control vulnerability”.
VMware AirWatch Console has a Broken Access Control vulnerability. Successful exploitation of this issue could result in end-user device details being disclosed to an unauthorized administrator.
Common Vulnerabilities and Exposures project has assigned the identifier CVE-2017-4942 to this issue.
The vulnerability consists of two distinct issues which, together, could allow a tenant to accidentally come into contact with another tenant’s device details. The first issue occurs as the result of a UI issue present under certain conditions, which may lead to the display of an incorrect device’s details. The second issue occurs when the device details are incorrectly displayed to the unauthorized administrator, which results from a missing access control check performed on the request.
AirWatch Console 9.2.2 (released on 5th December) resolved the issue. For more details on this version you can check KB115015625647 (please note you need to login) and the release notes.
For shared SaaS environments, no action is required as all shared SaaS environments have been patched for this vulnerability. For dedicated SaaS and On-Premises, patches have been made available for all AirWatch Console versions 9.0.1 and up.
VMware has also released a workaround for customers who are unable to immediately apply the patch. You can check it in KB115015676547.
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.