[Security-announce] New VMSA-2016-0008 VMware vRealize Log Insight addresses important and moderate security issues

VMware Security Announcements security-announce at lists.vmware.com
Thu Jun 9 21:47:10 PDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID: VMSA-2016-0008
Synopsis:    VMware vRealize Log Insight addresses important and
             moderate security issues.
Issue date:  2016-06-09
Updated on:  2016-06-09 (Initial Advisory)
CVE number:  CVE-2016-2081, CVE-2016-2082

1. Summary

   VMware vRealize Log Insight addresses important and moderate security
   issues.

2. Relevant Releases

   VMware vRealize Log Insight prior to 3.3.2

3. Problem Description

   a. Important stored cross-site scripting issue in VMware vRealize Log
      Insight

   VMware vRealize Log Insight contains a vulnerability that may
   allow for a stored cross-site scripting attack. Exploitation of this
   issue may lead to the hijack of an authenticated user's session.

   VMware would like to thank Lukasz Plonka for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-2081 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                        Product   Running   Replace with/
   Product                       Version   on        Apply Patch
   ===========================   =======   =======   =================
   VMware vRealize Log Insight   3.x       Virtual   3.3.2
                                           Appliance
   VMware vRealize Log Insight   2.x       Virtual   3.3.2
                                           Appliance

   b. Moderate cross-site request forgery issue in VMware vRealize Log
      Insight

   VMware vRealize Log Insight contains a vulnerability that may
   allow for a cross-site request forgery attack. Exploitation of this
   issue may lead to an attacker replacing trusted content in the Log
   Insight UI without the user's authorization.

   VMware would like to thank Lukasz Plonka for reporting this issue to
   us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-2082 to this issue.

   Column 4 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware                        Product   Running   Replace with/
   Product                       Version   on        Apply Patch
   ===========================   =======   =======   =================
   VMware vRealize Log Insight   3.x       Virtual   3.3.2
                                           Appliance
   VMware vRealize Log Insight   2.x       Virtual   3.3.2
                                           Appliance

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   VMware vRealize Log Insight 3.3.2
   Downloads and Documentation:


https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_log_insight/3_3

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2081
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2082

- ------------------------------------------------------------------------

6. Change log

   2016-06-09 VMSA-2016-0008 Initial security advisory in conjunction
   with the release of VMware vRealize Log Insight 3.3.2 on 2016-06-09.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   http://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.2 (Build 21165)
Charset: utf-8

wj8DBQFXWj/PDEcm8Vbi9kMRAnAIAJ41gvMcGGXT4455eNmt7tR48d8pmgCgun/W
uMHWtNOrpA7NINIY+E8ASpo=
=QmsU
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20160610/e5d949dd/attachment.html>


More information about the Security-announce mailing list