====================================================================

                               CERT-Renater

                    Note d'Information No. 2016/VULN300
_____________________________________________________________________

DATE                : 24/08/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Identity Manager,
                         vRealize Automation.

=====================================================================
http://lists.vmware.com/pipermail/security-announce/2016/000343.html
____________________________________________________________________

- 
---------------------------------------------------------------------------------------
                              VMware Security Advisory

Advisory ID: VMSA-2016-0013
Severity:    Important
Synopsis:    VMware Identity Manager and vRealize Automation updates 
address multiple security issues
Issue date:  2016-08-23
Updated on:  2016-08-23 (Initial Advisory)
CVE number:  CVE-2016-5335, CVE-2016-5336

1. Summary

    VMware Identity Manager and vRealize Automation updates address 
multiple security issues

2. Relevant Products

    VMware Identity Manager
    vRealize Automation

3. Problem Description

    a. VMware Identity Manager local privilege escalation vulnerability

    VMware Identity Manager and vRealize Automation both contain a
    vulnerability that may allow for a local privilege escalation.
    Exploitation of this issue may lead to an attacker with access to a
    low-privileged account to escalate their privileges to that of root.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    reserved the identifier CVE-2016-5335 for this issue.

    Column 5 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    Product   Running               Replace with/
    VMWare Product            Version   on        Severity    Apply 
Patch     Workaround
    =======================   =======   =======   ========= 
=============   ==========
    VMware Identity Manager   2.x       VA        Important   2.7 
       None
    vRealize Automation       7.0.x     VA        Important   7.1 
       None
    vRealize Automation       6.x       VA        N/A         not 
affected    N/A

    b. vRealize Automation remote code execution vulnerability

    vRealize Automation contains a vulnerability that may allow for
    remote code execution. Exploitation of this issue may lead to an
    attacker gaining access to a low-privileged account on the appliance.

    The Common Vulnerabilities and Exposures project (cve.mitre.org) has
    reserved the identifier CVE-2016-5336 for this issue.

    Column 5 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

                           Product   Running               Replace with/
    VMware Product         Version   on        Severity    Apply Patch 
    Workaround
    ====================   =======   =======   =========   ============= 
   ==========
    vRealize Automation    7.0.x     VA        Important   7.1 
    KB2146585
    vRealize Automation    6.x       VA        N/A         not affected 
    N/A

4. Solution

    Please review the patch/release notes for your product and version
    and verify the checksum of your downloaded file.

    VMware Identity Manager 2.7
    Downloads and Documentation:
 
https://my.vmware.com/en/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/2_7

    vRealize Automation 7.1
    Downloads and Documentation:
 
https://my.vmware.com/group/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_automation/7_1#product_downloads

5. References

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5335
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5336
    https://kb.vmware.com/kb/2146585

- ------------------------------------------------------------------------

6. Change log

    2016-08-23 VMSA-2016-0013 Initial security advisory in conjunction
    with the release of vRealize Automation 7.1 on 2016-08-23.

- ------------------------------------------------------------------------

7. Contact

    E-mail list for product security notifications and announcements:
    http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

    This Security Advisory is posted to the following lists:

     security-announce at lists.vmware.com
     bugtraq at securityfocus.com
     fulldisclosure at seclists.org

    E-mail: security at vmware.com
    PGP key at: https://kb.vmware.com/kb/1055

    VMware Security Advisories
    http://www.vmware.com/security/advisories

    VMware Security Response Policy
    https://www.vmware.com/support/policies/security_response.html

    VMware Lifecycle Support Phases
    https://www.vmware.com/support/policies/lifecycle.html
    Twitter
    https://twitter.com/VMwareSRC

    Copyright 2016 VMware Inc.  All rights reserved.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================