====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN191
_____________________________________________________________________

DATE                : 15/04/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running vRealize Log Insight versions prior
                                         to 68.7.0.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2020-0007.html
_____________________________________________________________________


VMware Security Advisories

Advisory ID             VMSA-2020-0007
Advisory Severity 	Important
CVSSv3 Range            6.1 - 8.4
Synopsis                VMware vRealize Log Insight addresses Cross Site
                        Scripting (XSS) and Open Redirect
                        vulnerabilities (CVE-2020-3953, CVE-2020-3954)
Issue Date              2020-04-14
Updated On              2020-04-14 (Initial Advisory)

CVE(s) 	CVE-2020-3953, CVE-2020-3954


1. Impacted Products

VMware vRealize Log Insight


2. Introduction

Cross Site Scripting (XSS) and Open Redirect vulnerabilities in vRealize
Log Insight were privately reported to the VMware Security Response
Center. Updates are available to remediate these vulnerabilities in
vRealize Log Insight.

3a. Cross Site Scripting (XSS) vulnerabilities in vRealize Log Insight
due to improper Input validation (CVE-2020-3953)


Description:
vRealize Log Insight does not properly validate user input, resulting in
XSS vulnerabilities. VMware has evaluated the severity of this issue to
be in the Important severity range with a maximum CVSSv3 base score of
8.4.

Known Attack Vectors:
A malicious actor with permissions equivalent to the predefined 'user'
role may be able to add a malicious payload via the Log Insight UI which
would be executed when the victim (another user or administrator) views
this data in the UI (Stored XSS). Successful exploitation of this issue
may result in a compromise of the victim's workstation.


Resolution:

To remediate CVE-2020-3953 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below.


Workarounds:
None.


Additional Documentation:
None.

Notes:
None.


Acknowledgements:

VMware would like to thank Michał Bogdanowicz @STM Solutions
[https://www.linkedin.com/in/micha%C5%82-bogdanowicz-603267a8/] and
Michal Brzezicki @STM Solutions
[https://www.linkedin.com/in/m-brzezicki/] for reporting this issue to
us.


3b. Open Redirect vulnerability in vRealize Log Insight due to improper
Input validation (CVE-2020-3954)

Description:
vRealize Log Insight does not properly validate user input, resulting in
an Open Redirect vulnerability. VMware has evaluated the severity of
this issue to be in the Moderate severity range with a maximum CVSSv3
base score of 6.1.


Known Attack Vectors:
A malicious actor may be able to perform a phishing attack by sending a
seemingly trusted URL for a vRLI deployment to a victim. Upon opening
this URL the victim will be redirected to a location of the attacker's
choosing. Successful exploitation of this issue may result in a
compromise of the victim's workstation.


Resolution:
To remediate CVE-2020-3954 apply the updates listed in the 'Fixed
Version' column of the 'Response Matrix' below.

Workarounds:
None.


Additional Documentation:
None.

Notes:
None.


Acknowledgements:
VMware would like to thank Michał Bogdanowicz @STM Solutions
[https://www.linkedin.com/in/micha%C5%82-bogdanowicz-603267a8/] and
Michal Brzezicki @STM Solutions
[https://www.linkedin.com/in/m-brzezicki/] for reporting this issue to us.


Product 	Version 	Running On 	CVE Identifier 	CVSSV3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

vRealize Log Insight 	8.0.0, 4.x.y 	Virtual Appliance 	CVE-2020-3953
8.4 	Important 	8.1.0 	None 	None

vRealize Log Insight 	8.0.0, 4.x.y 	Virtual Appliance 	CVE-2020-3954
6.1 	Moderate 	8.1.0 	None 	None


4. References


Fixed Version(s) and Release Notes:

 vRealize Log Insight 8.1.0:

https://my.vmware.com/web/vmware/info/slug/infrastructure_operations_management/vmware_vrealize_log_insight/8_1


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3953
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3954


FIRST CVSSv3 Calculator:
CVE-2020-3953:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
CVE-2020-3954:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N



5. Change log


2020-04-14 VMSA-2020-0007
Initial security advisory.


6. Contact


E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com
  bugtraq@securityfocus.com
  fulldisclosure@seclists.org



E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055



VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2020 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================