[Security-announce] Updated VMSA-2016-0016.1 - vRealize Operations (vROps) updates address privilege escalation vulnerability

VMware Security Announcements security-announce at lists.vmware.com
Tue Nov 15 14:59:28 PST 2016


?-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
- ---
                           VMware Security Advisory

Advisory ID: VMSA-2016-0016.1
Severity:    Critical
Synopsis:    vRealize Operations (vROps) updates address privilege
escalation
             vulnerability
Issue date:  2016-10-11
Updated on:  2016-11-15
CVE number:  CVE-2016-7457

1. Summary

   vRealize Operations (vROps) updates address privilege escalation
   vulnerability.

2. Relevant Products

   vRealize Operations (vROps)

3. Problem Description

   vROps privilege escalation issue

   vROps contains a privilege escalation vulnerability. Exploitation of
this
   issue may allow a vROps user who has been assigned a low-privileged role
to
   gain full access over the application. In addition it may be possible to
   stop and delete Virtual Machines managed by vCenter.

   VMware would like to thank Edgar Carvalho for reporting this issue to
us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7457 to this issue.

   Column 5 of the following table lists the action required to remediate
the
   vulnerability in each release, if a solution is available.

   VMware        Product    Running            Replace with/
   Product       Version    on       Severity  Apply Patch       Workaround
   ============  =========  =======  ========  ================  ==========
   vRealize      6.3.0      Any      Critical  6.4.0 or          None
   Operations                                  KB2147215
   vRealize      6.2.1      Any      Critical  6.4.0 or          None
   Operations                                  KB2147247
   vRealize      6.2.0a     Any      Critical  6.4.0 or          None
   Operations                                  KB2147246
   vRealize      6.1.0      Any      Critical  6.4.0 or          None
   Operations                                  KB2147248
   vRealize      6.0.x      Any      N/A       not affected      N/A
   Operations
   vRealize      5.x        Any      N/A       not affected      N/A
   Operations

4. Solution

   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.

   vRealize Operations
   Downloads and Documentation:

https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_operations/6_4

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7457
   https://kb.vmware.com/kb/2147215
   https://kb.vmware.com/kb/2147247
   https://kb.vmware.com/kb/2147246
   https://kb.vmware.com/kb/2147248

- ---------------------------------------------------------------------------
- ---

6. Change log

   2016-10-11 VMSA-2016-0016
   Initial security advisory in conjunction with the
   release of vROps patches on 2016-10-11.
   2016-11-15 VMSA-2016-0016.1
   Security advisory update in conjunction with the
   release of vROps 6.4.0 on 2016-11-15.

- ---------------------------------------------------------------------------
- ---

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFYK5JyDEcm8Vbi9kMRAm/NAJ9QxrYvAQdH/cs8s1EYaMr3u2FMMACePU4Q
plnScxfwlbUViS0xmztmlvo=
=f2pH
-----END PGP SIGNATURE-----?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.vmware.com/pipermail/security-announce/attachments/20161115/ed7b2983/attachment.html>


More information about the Security-announce mailing list