VMSA-2018-0003

VMware Security Advisory – VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console

VMware has released a new security advisory: VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities.

This advisory documents the remediation of two issues: one critical (deserialization vulnerability which may allow code execution in vRealize Automation and vSphere Integrated Containers) and one important (a cross site request forgery vulnerability when accessing the App Catalog in AirWatch Console).

VMSA-2018-0006 – Deserialization Vulnerability in vRealize Automation and vSphere Integrated Containers

CVE-2017-4947 – vRealize Automation and vSphere Integrated Containers contain a deserialization vulnerability via Xenon. A successful exploit of the vulnerability will allow code execution on the relevant appliances.

Affected products and resolutions:

  • vSphere Integrated Containers 1.x – update to 1.3.0
  • vRealize Automation 7.3 – apply patches KB52326 and KB52316
  • vRealize Automation 7.2 – apply patch KB52320
  • vRealize Automation 7.1.x – not affected
  • vRealize Automation 7.0.x – not affected
  • vRealize Automation 6.x – not affected

VMSA-2018-0006 – Cross Site Request Forgery Vulnerability in AirWatch Console

CVE-2017-4951 – VMware AirWatch Console contains a cross site request forgery vulnerability when accessing the App Catalog. For a successful exploit of the vulnerability, the attacker should trick users to install a malicious application on their devices.

Affected products and resolutions:

  • AirWatch Console 9.2.x – update to 9.2.2 (same update is required to fix VMSA-2017-0020)
  • AirWatch Console 9.1.x – update to 9.1.5

You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.

Constantin Ghioc

I usually play with vRealize Automation, vRealize Orchestrator and different AWS tools. In my other life, I’m a husband and a father, an amateur photographer and a Go enthusiast.

Leave a Reply

Your email address will not be published. Required fields are marked *