==================================================================== CERT-Renater Note d'Information No. 2018/VULN382 _____________________________________________________________________ DATE : 14/11/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware vRealize Log Insight versions 4.7.x, 4.6.x prior to 4.7.1, 4.6.2. ===================================================================== https://lists.vmware.com/pipermail/security-announce/2018/000442.html _____________________________________________________________________ - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2018-0028 Severity: Moderate Synopsis: VMware vRealize Log Insight updates address an authorization bypass vulnerability Issue date: 2018-11-13 Updated on: 2018-11-13 (Initial Advisory) CVE number: CVE-2018-6980 1. Summary VMware vRealize Log Insight updates address an authorization bypass vulnerability 2. Relevant Products VMware vRealize Log Insight (vRLI) 3. Problem Description vRealize Log Insight improper authorization vulnerability VMware vRealize Log Insight contains a vulnerability due to improper authorization in the user registration method. Successful exploitation of this issue may allow Admin users with view only permission to perform certain administrative functions which they are not allowed to perform. VMware would like to thank Piotr Madej of ING Tech Poland for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-6980 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigations/ Product Version on Severity Apply patch Workarounds ======== ======== ========= ========= ============ ============ vRLI 4.7.x Virtual Moderate 4.7.1 None Appliance vRLI 4.6.x Virtual Moderate 4.6.2 None Appliance 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vRealize Log Insight 4.7.1 Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/infrastructure_operations _management/vmware_vrealize_log_insight/4_7 VMware vRealize Log Insight 4.6.2 Downloads and Documentation: https://my.vmware.com/web/vmware/info/slug/infrastructure_operations _management/vmware_vrealize_log_insight/4_6 5. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6980 - ----------------------------------------------------------------------- 6. Change log VMSA-2018-0028 2018-11-13 Initial security advisory in conjunction with the release of vRLI 4.7.1 and 4.6.2 on 2018-11-13. - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories Consolidated list of VMware Security Advisories https://kb.vmware.com/kb/2078735 VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2018 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================