==================================================================== CERT-Renater Note d'Information No. 2017/VULN394 _____________________________________________________________________ DATE : 13/12/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware AirWatch Console versions 9.x prior to 9.2.2. ===================================================================== https://lists.vmware.com/pipermail/security-announce/2017/000393.html _____________________________________________________________________ - -------------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2017-0020 Severity: Moderate Synopsis: VMware AirWatch Console updates address Broken Access Control vulnerability. Issue date: 2017-12-12 Updated on: 2017-12-12 (Initial Advisory) CVE number: CVE-2017-4942 1. Summary VMware AirWatch Console updates address Broken Access Control vulnerability. 2. Relevant Products VMware AirWatch Console (AWC) 3. Problem Description VMware AirWatch Console (AWC) Broken Access Control VMware AirWatch Console (AWC) contains a Broken Access Control vulnerability. Successful exploitation of this issue could result in end-user device details being disclosed to an unauthorized administrator. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4942 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ========== ========= ======= ========= ============= ========== AWC 9.x Any Moderate 9.2.2* KB115015676547 *Additional patches are available for supported Airwatch releases. Please see KB115015676547 for more information. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware AirWatch Console 9.2.2 Downloads and Documentation: https://support.air-watch.com/articles/115015625647 5. References http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4942 https://support.air-watch.com/articles/115015676547 https://www.air-watch.com/en/about/contact-us https://support.air-watch.com/articles/115015625647 - -------------------------------------------------------------------------- 6. Change log 2017-12-12: VMSA-2017-0020 Initial security advisory in conjunction with the release of VMware AirWatch Console patches on 2017-12-12. - -------------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2017 VMware Inc. All rights reserved. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================