==================================================================== CERT-Renater Note d'Information No. 2016/VULN395 _____________________________________________________________________ DATE : 23/11/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Identity Manager versions 2.x, vRealize Automation versions 7.x, 6.x. ===================================================================== http://lists.vmware.com/pipermail/security-announce/2016/000357.html ____________________________________________________________________ - --------------------------------------------------------------------------- - - VMware Security Advisory Advisory ID: VMSA-2016-0021 Severity: Moderate Synopsis: VMware product updates address partial information disclosure vulnerability Issue date: 2016-11-22 Updated on: 2016-11-22 (Initial Advisory) CVE number: CVE-2016-5334 1. Summary VMware product updates address partial information disclosure vulnerability 2. Relevant Products VMware Identity Manager vRealize Automation 3. Problem Description Partial information disclosure vulnerability in VMware Identity Manager VMware Identity Manager contains a vulnerability that may allow for a partial information disclosure. Successful exploitation of the vulnerability may allow read access to files contained in the /SAAS/WEB-INF and /SAAS/META-INF directories remotely. VMware would like to thank Max Chang of Trend Micro for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5334 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigations/ Product Version on Severity Apply patch Workarounds =============== ========= ======= ======== ============= ========== VMware Identity 2.x VA Moderate 2.7.1 None Manager vRealize 7.x VA Moderate 7.2.0* None Automation vRealize 6.x VA N/A not affected N/A Automation *vRealize Automation 7.x ships with an RPM-based version of VMware Identity Manager 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware Identity Manager Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/2_7 vRealize Automation Downloads and Documentation: https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man agement/vmware_vrealize_automation/7_2 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5334 - --------------------------------------------------------------------------- - - 6. Change log 2016-11-22 VMSA-2016-0021 Initial security advisory in conjunction with the release of vRealize Automation 7.2.0 on 2016-11-22. - --------------------------------------------------------------------------- - - 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2016 VMware Inc. All rights reserved. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================