-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------------------------------------------------------------------------
- ---
VMware Security Advisory
Advisory ID: VMSA-2016-0016
Severity: Critical
Synopsis: vRealize Operations (vROps) updates address privilege
escalation
vulnerability
Issue date: 2016-10-11
Updated on: 2016-10-11 (Initial Advisory)
CVE number: CVE-2016-7457
1. Summary
vRealize Operations (vROps) updates address privilege escalation
vulnerability.
2. Relevant Products
vRealize Operations (vROps)
3. Problem Description
vROps privilege escalation issue
vROps contains a privilege escalation vulnerability. Exploitation of
this
issue may allow a vROps user who has been assigned a low-privileged role
to
gain full access over the application. In addition it may be possible to
stop and delete Virtual Machines managed by vCenter.
VMware would like to thank Edgar Carvalho for reporting this issue to
us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7457 to this issue.
Column 5 of the following table lists the action required to remediate
the
vulnerability in each release, if a solution is available.
VMware Product Running Replace with/
Product Version on Severity Apply Patch Workaround
============ ========= ======= ======== ================ ==========
vRealize 6.3.0 Any Critical patch pending KB2147215
Operations
vRealize 6.2.1 Any Critical patch pending KB2147247
Operations
vRealize 6.2.0a Any Critical patch pending KB2147246
Operations
vRealize 6.1.0 Any Critical patch pending KB2147248
Operations
vRealize 6.0.x Any N/A not affected N/A
Operations
vRealize 5.x Any N/A not affected N/A
Operations
4. Solution
Please review the patch/release notes for your product and version and
verify the checksum of your downloaded file.
vRealize Operations
Downloads and Documentation:
https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_operations/6_3
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7457
https://kb.vmware.com/kb/2147215
https://kb.vmware.com/kb/2147247
https://kb.vmware.com/kb/2147246
https://kb.vmware.com/kb/2147248
- ------------------------------------------------------------------------
6. Change log
2016-10-11 VMSA-2016-0016 Initial security advisory in conjunction with
the
release of vROps patches on 2016-10-11.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce at lists.vmware.com
bugtraq at securityfocus.com
fulldisclosure at seclists.org
E-mail: security at vmware.com
PGP key at: https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
Twitter
https://twitter.com/VMwareSRC
Copyright 2016 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFX/S0YDEcm8Vbi9kMRAhh7AJ0ctS7c+oxpaQCNvEx+SpVM5fawZACfYvPA
IhRXucua8IjVJBRr8/z45wg=
=JUi8
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
