==================================================================== CERT-Renater Note d'Information No. 2018/VULN146 _____________________________________________________________________ DATE : 12/04/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running vRealize Automation (vRA) ===================================================================== https://lists.vmware.com/pipermail/security-announce/2018/000411.html _____________________________________________________________________ ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2018-0009 Severity: Important Synopsis: vRealize Automation updates address multiple security issues. Issue date: 2018-04-12 Updated on: 2018-04-12 (Initial Advisory) CVE number: CVE-2018-6958, CVE-2018-6959 1. Summary vRealize Automation (vRA) updates address multiple security issues. 2. Relevant Products vRealize Automation (vRA) 3. Problem Description a. DOM-based cross-site scripting (XSS) vulnerability VMware vRealize Automation contains a vulnerability that may allow for a DOM-based cross-site scripting (XSS) attack. Exploitation of this issue may lead to the compromise of the vRA user's workstation. VMware would like to thank Oliver Matula and Benjamin Schwendemann of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6958 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMwareProduct RunningReplace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ========== ========= ======= ======== ================ ========== vRA7.3.xVA Important 7.3.1 None vRA7.2.xVA Important 7.3.1 None vRA7.1.xVA Important 7.3.1 None vRA7.0.xVA Important 7.3.1 None vRA6.2.xVA N/A not affected N/A b. Missing renewal of session tokens vulnerability VMware vRealize Automation contains a vulnerability in the handling of session IDs. Exploitation of this issue may lead to the hijacking of a valid vRA user's session. VMware would like to thank Oliver Matula and Benjamin Schwendemann of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6959 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ========== ========= ======= ======== ================ ========== vRA 7.3.x VA Moderate 7.4.0 None vRA 7.2.x VA Moderate 7.4.0 None vRA 7.1.x VA Moderate 7.4.0 None vRA 7.0.x VA Moderate 7.4.0 None vRA 6.2.x VA N/A not affected N/A 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vRealize Automation 7.3.1 Downloads: https://my.vmware.com/web/vmware/info/slug/ infrastructure_operations_management/vmware_vrealize_automation/7_3 Documentation: https://docs.vmware.com/en/vRealize-Automation/index.html vRealize Automation 7.4.0 Downloads: https://my.vmware.com/web/vmware/info/slug/ infrastructure_operations_management/vmware_vrealize_automation/7_4 Documentation: https://docs.vmware.com/en/vRealize-Automation/index.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6958 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6959 - ------------------------------------------------------------------------- 6. Change log 2018-04-12 VMSA-2018-0009 Initial security advisory in conjunction with the release of vRealize Automation 7.4.0 on 2018-04-12 - ------------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. An HTML attachment was scrubbed... URL: ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ========================================================== -- Francois Ducrot GIP RENATER - Direction Technique SSI/CERT Tél : +33 1 53 94 20 84 http://www.renater.fr