VMware has released a new security advisory: VMSA-2018-0006 – vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities.
This advisory documents the remediation of two issues: one critical (deserialization vulnerability which may allow code execution in vRealize Automation and vSphere Integrated Containers) and one important (a cross site request forgery vulnerability when accessing the App Catalog in AirWatch Console).
VMSA-2018-0006 – Deserialization Vulnerability in vRealize Automation and vSphere Integrated Containers
CVE-2017-4947 – vRealize Automation and vSphere Integrated Containers contain a deserialization vulnerability via Xenon. A successful exploit of the vulnerability will allow code execution on the relevant appliances.
Affected products and resolutions:
- vSphere Integrated Containers 1.x – update to 1.3.0
- vRealize Automation 7.3 – apply patches KB52326 and KB52316
- vRealize Automation 7.2 – apply patch KB52320
- vRealize Automation 7.1.x – not affected
- vRealize Automation 7.0.x – not affected
- vRealize Automation 6.x – not affected
VMSA-2018-0006 – Cross Site Request Forgery Vulnerability in AirWatch Console
CVE-2017-4951 – VMware AirWatch Console contains a cross site request forgery vulnerability when accessing the App Catalog. For a successful exploit of the vulnerability, the attacker should trick users to install a malicious application on their devices.
Affected products and resolutions:
- AirWatch Console 9.2.x – update to 9.2.2 (same update is required to fix VMSA-2017-0020)
- AirWatch Console 9.1.x – update to 9.1.5
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.