==================================================================== CERT-Renater Note d'Information No. 2016/VULN390 _____________________________________________________________________ DATE : 16/11/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running vRealize Operations versions 6.x, prior to 6.4.0. ===================================================================== http://lists.vmware.com/pipermail/security-announce/2016/000353.html ____________________________________________________________________ - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2016-0020 Severity: Important Synopsis: vRealize Operations update addresses REST API deserialization vulnerability Issue date: 2016-11-15 Updated on: 2016-11-15 (Initial Advisory) CVE number: CVE-2016-7462 1. Summary vRealize Operations update addresses REST API deserialization vulnerability. 2. Relevant Products vRealize Operations 3. Problem Description a. vRealize Operations REST API deserialization vulnerability vRealize Operations contains a deserialization vulnerability in its REST API implementation. This issue may result in a Denial of Service as it allows for writing of files with arbitrary content and moving existing files into certain folders. The name format of the destination files is predefined and their names cannot be chosen. Overwriting files is not feasible. VMware would like to thank Jacob Baines of Tenable Network Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-7462 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigations/ Product Version on Severity Apply patch Workarounds ========== ======= ======= ========= ============= ========== vRealize 6.x Any Important 6.4.0 None Operations vRealize 5.x Any N/A Not affected N/A Operations 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. vRealize Operations Downloads and Documentation: https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man agement/vmware_vrealize_operations/6_4 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7462 - ------------------------------------------------------------------------ 6. Change log 2016-11-15 VMSA-2016-0020 Initial security advisory in conjunction with the release of vRealize Operations 6.4 on 2016-11-15. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================