VMware has released a new security advisory: VMSA-2018-0009 – vRealize Automation updates address multiple security issues.
This advisory documents the remediation of two issues: one important (DOM-based cross-site scripting vulnerability which may lead to the compromise of the vRA user’s workstation) and one moderate (Missing renewal of session tokens vulnerability which may lead to the hijacking of a valid vRA user’s session).
VMSA-2018-0009 – DOM-based Cross-site Scripting (XSS) Vulnerability
CVE-2018-6958 – vRealize Automation contains an important vulnerability that may allow for a DOM-based cross-site scripting (XSS) attack. Exploitation of this issue may lead to the compromise of the vRA user’s workstation.
Affected products and resolutions:
- vRealize Automation 6.2 – not affected
- vRealize Automation 7.0 – update to vRA 7.3.1
- vRealize Automation 7.1 – update to vRA 7.3.1
- vRealize Automation 7.2 – update to vRA 7.3.1
- vRealize Automation 7.3 – update to vRA 7.3.1
VMSA-2018-0009 – Missing Renewal of Session Tokens Vulnerability
CVE-2018-6959 – VMware vRealize Automation contains a moderate vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user’s session.
Affected products and resolutions:
- vRealize Automation 6.2 – not affected
- vRealize Automation 7.0 – update to vRA 7.4.0
- vRealize Automation 7.1 – update to vRA 7.4.0
- vRealize Automation 7.2 – update to vRA 7.4.0
- vRealize Automation 7.3 – update to vRA 7.4.0
You can check reports on other VMware vulnerabilities in my page dedicated to Security Advisories.