Executive Summary
Summary | |
---|---|
Title | - vRealize Automation, vSphere Integrated Containers, and AirWatch Console updates address multiple security vulnerabilities |
Informations | |||
---|---|---|---|
Name | VMSA-2018-0006 | First vendor Publication | 2018-01-26 |
Vendor | VMware | Last vendor Modification | 2018-01-26 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
a) vRealize Automation and vSphere Integrated Containers deserialization vulnerability via Xenon vRealize Automation and vSphere Integrated Containers contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4947 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Mitigation/ Product Version on Severity Apply Patch Workaround ========== ======= ======= ======== ================ ========== vRA 7.3 Linux Critical KB52326, KB52316 None vRA 7.2 Linux Critical KB52320 None vRA 7.1.x Linux N/A not affected None vRA 7.0.x Linux N/A not affected None vRA 6.x Linux N/A not affected None VIC 1.x Linux Critical 1.3.0 None b) VMware AirWatch Console Cross Site Request Forgery (CSRF) VMware AirWatch Console contains a Cross Site Request Forgery vulnerability when accessing the App Catalog. An attacker may exploit this issue by tricking users into installing a malicious application on their devices. VMware would like to thank Abhishek Vijay Nayak for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4951 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. |
Original Source
Url : http://www.vmware.com/security/advisories/VMSA-2018-0006.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-502 | Deserialization of Untrusted Data |
50 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 | |
Application | 2 | |
Application | 1 |
Alert History
Date | Informations |
---|---|
2018-02-27 21:22:18 |
|
2018-01-29 21:22:22 |
|
2018-01-26 17:21:00 |
|