[Security-announce] NEW VMSA-2016-0016 - vRealize Operations (vROps) updates address privilege escalation vulnerability

VMware Security Announcements security-announce at lists.vmware.com
Tue Oct 11 11:13:14 PDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
- ---
                           VMware Security Advisory
 
Advisory ID: VMSA-2016-0016
Severity:    Critical
Synopsis:    vRealize Operations (vROps) updates address privilege
escalation
             vulnerability
Issue date:  2016-10-11
Updated on:  2016-10-11 (Initial Advisory)
CVE number:  CVE-2016-7457
 
1. Summary
 
   vRealize Operations (vROps) updates address privilege escalation
   vulnerability.
 
2. Relevant Products
 
   vRealize Operations (vROps)
 
3. Problem Description
 
   vROps privilege escalation issue
 
   vROps contains a privilege escalation vulnerability. Exploitation of
this
   issue may allow a vROps user who has been assigned a low-privileged role
to
   gain full access over the application. In addition it may be possible to
   stop and delete Virtual Machines managed by vCenter.
 
   VMware would like to thank Edgar Carvalho for reporting this issue to
us.
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7457 to this issue.
 
   Column 5 of the following table lists the action required to remediate
the
   vulnerability in each release, if a solution is available.
 
   VMware        Product    Running            Replace with/
   Product       Version    on       Severity  Apply Patch       Workaround
   ============  =========  =======  ========  ================  ==========
   vRealize      6.3.0      Any      Critical  patch pending     KB2147215
   Operations
   vRealize      6.2.1      Any      Critical  patch pending     KB2147247
   Operations
   vRealize      6.2.0a     Any      Critical  patch pending     KB2147246
   Operations
   vRealize      6.1.0      Any      Critical  patch pending     KB2147248
   Operations
   vRealize      6.0.x      Any      N/A       not affected      N/A
   Operations
   vRealize      5.x        Any      N/A       not affected      N/A
   Operations
 
4. Solution
 
   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.
 
   vRealize Operations
   Downloads and Documentation:
  
https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_operations/6_3
 
5. References
 
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7457
   https://kb.vmware.com/kb/2147215
   https://kb.vmware.com/kb/2147247
   https://kb.vmware.com/kb/2147246
   https://kb.vmware.com/kb/2147248
 
- ------------------------------------------------------------------------
 
6. Change log
 
   2016-10-11 VMSA-2016-0016 Initial security advisory in conjunction with
the
   release of vROps patches on 2016-10-11.
 
- ------------------------------------------------------------------------
 
7. Contact
 
   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
   This Security Advisory is posted to the following lists:
 
    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org
 
   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055
 
   VMware Security Advisories
   http://www.vmware.com/security/advisories
 
   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html
 
   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC
 
   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFX/R/UDEcm8Vbi9kMRAj3FAJ43HMAzNewwue2rxnFswh3hhYqOigCeNyZR
5o7laY/61IQP8umE2hrK4gw=
=wckh
-----END PGP SIGNATURE-----



More information about the Security-announce mailing list