==================================================================== CERT-Renater Note d'Information No. 2016/VULN292 _____________________________________________________________________ DATE : 12/08/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running vRealize Log Insight versions 3.x, 2.x. ===================================================================== http://lists.vmware.com/pipermail/security-announce/2016/000338.html ____________________________________________________________________ - ----------------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2016-0011 Severity: Moderate Synopsis: vRealize Log Insight update addresses directory traversal vulnerability. Issue date: 2016-08-11 Updated on: 2016-08-11 (Initial Advisory) CVE number: CVE-2016-5332 1. Summary vRealize Log Insight update addresses directory traversal vulnerability. 2. Relevant Products vRealize Log Insight 3. Directory traversal vulnerability in vRealize Log Insight vRealize Log Insight contains a vulnerability that may allow for a directory traversal attack. Exploitation of this issue may lead to a partial information disclosure. There are no known workarounds for this issue. VMware would like to thank Peter Nelson, Security Engineer at WakeMed Health & Hospitals for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5332 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Severity Apply Patch Workaround ==================== ======= ======= ======== ============= ========== vRealize Log Insight 3.x VA Moderate 3.6.0 None vRealize Log Insight 2.x VA Moderate 3.6.0 None 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vRealize Log Insight 3.6.0 Downloads and Documentation: https://my.vmware.com/web/vmware/details?downloadGroup=VRLI-360&productId=598&rPId=12336 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5332 - ------------------------------------------------------------------------ 6. Change log 2016-08-11 VMSA-2016-0011 Initial security advisory in conjunction with the release of vRealize Log Insight 3.6.0 on 2016-08-11. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================