[Security-announce] NEW VMSA-2018-0023 AirWatch Agent and VMware Content Locker updates resolve data protection vulnerabilities

VMware Security Announcements security-announce at lists.vmware.com
Wed Sep 5 13:47:53 PDT 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                        VMware Security Advisory

Advisory ID: VMSA-2018-0023
Severity:    Low
Synopsis:    AirWatch Agent and VMware Content Locker updates resolve
             data protection vulnerabilities.
Issue date:  2018-09-05
Updated on:  2018-09-05 (Initial Advisory)
CVE number:  CVE-2018-6975
                     CVE-2018-6976

1. Summary

   AirWatch Agent and VMware Content Locker updates resolve data
   protection vulnerabilities.

2. Relevant Products

   AirWatch Agent for iOS (A/W Agent)
   VMware Content Locker for iOS (A/W Locker)

3. Problem Description

   a. The AirWatch Agent for iOS devices contains a data
   protection vulnerability

   The AirWatch Agent for iOS devices contains a data protection
   vulnerability whereby the files and keychain entries in the Agent are
   not encrypted.

   VMware would like to thank Stephan Sekula of Compass Security for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-6975 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product   Running           Replace with/     Mitigation/
   Product     Version   on      Severity  Apply Patch       Workaround
   =========== ========= ======= ========= ================= ==========
   A/W Agent   x.x       iOS     Low       5.8.1             None

   b. The VMware Content Locker for iOS devices contains a data
   protection vulnerability

   The VMware Content Locker for iOS devices contains a data protection
   vulnerability in the SQLite database. This vulnerability relates to
   unencrypted filenames and associated metadata in SQLite database for
   the Content Locker.

   VMware would like to thank Stephan Sekula of Compass Security for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-6976 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product   Running           Replace with/     Mitigation/
   Product     Version   on      Severity  Apply Patch       Workaround
   =========== ========= ======= ========= ================= ==========
   A/W Locker  x.x              iOS        Low          4.14              None

4. Solution

  AirWatch Agent for iOS 5.8.1
  Downloads and Documentation:
  https://itunes.apple.com/us/app/airwatch-agent/id338761996?mt=8

  VMware Content Locker for iOS 4.14
  Downloads and Documentation:
  https://itunes.apple.com/us/app/vmware-content-locker/id525890839?mt=8

5. References

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6975
   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6976

- ------------------------------------------------------------------------

6. Change log

   2018-09-05: Initial security advisory in conjunction with the release
   of VMware Content Locker for iOS 4.14 on 2018-09-05

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com<mailto:security-announce at lists.vmware.com>
    bugtraq at securityfocus.com<mailto:bugtraq at securityfocus.com>
    fulldisclosure at seclists.org<mailto:fulldisclosure at seclists.org>

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFbj7R3DEcm8Vbi9kMRAlpuAJ0eOiXkLtOK1A7zFwo0knFmzSRW/wCgibMB
aId87Av2WFMpTiIEkrXPOMY=
=bxYL
-----END PGP SIGNATURE-----

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20180905/1c4c9ab7/attachment.html>


More information about the Security-announce mailing list