[Security-announce] NEW VMSA-2018-0009 vRealize Automation updates address multiple security issues

[VMware Security Announcements]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------

                               VMware Security Advisory

Advisory ID: VMSA-2018-0009
Severity:    Important
Synopsis:    vRealize Automation updates address
             multiple security issues.
Issue date:  2018-04-12
Updated on:  2018-04-12 (Initial Advisory)
CVE number:  CVE-2018-6958, CVE-2018-6959

1. Summary

   vRealize Automation (vRA) updates address
   multiple security issues.

2. Relevant Products

   vRealize Automation (vRA)

3. Problem Description

   a. DOM-based cross-site scripting (XSS) vulnerability

   VMware vRealize Automation contains a vulnerability that may allow
   for a DOM-based cross-site scripting (XSS) attack. Exploitation of
   this issue may lead to the compromise of the vRA user's workstation.

   VMware would like to thank Oliver Matula and Benjamin Schwendemann
   of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-6958 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product    Running            Replace with/     Mitigation/
   Product     Version    on       Severity  Apply Patch       Workaround
   ==========  =========  =======  ========  ================  ==========
   vRA         7.3.x      VA        Important 7.3.1              None
   vRA         7.2.x      VA       Important 7.3.1              None
   vRA         7.1.x      VA        Important 7.3.1              None
   vRA         7.0.x      VA       Important 7.3.1              None
   vRA         6.2.x      VA       N/A       not affected       N/A


   b. Missing renewal of session tokens vulnerability

   VMware vRealize Automation contains a vulnerability in the handling
   of session IDs. Exploitation of this issue may lead to the hijacking
   of a valid vRA user's session.

   VMware would like to thank Oliver Matula and Benjamin Schwendemann
   of ERNW Enno Rey Netzwerke GmbH for reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-6959 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware      Product    Running            Replace with/     Mitigation/
   Product     Version    on       Severity  Apply Patch       Workaround
   ==========  =========  =======  ========  ================  ==========
   vRA         7.3.x      VA        Moderate  7.4.0              None
   vRA         7.2.x      VA       Moderate  7.4.0              None
   vRA         7.1.x      VA        Moderate  7.4.0              None
   vRA         7.0.x      VA       Moderate  7.4.0              None
   vRA         6.2.x      VA       N/A       not affected       N/A


4. Solution

   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.

   vRealize Automation 7.3.1
   Downloads:
   https://my.vmware.com/web/vmware/info/slug/
   infrastructure_operations_management/vmware_vrealize_automation/7_3
   Documentation:
   https://docs.vmware.com/en/vRealize-Automation/index.html

   vRealize Automation 7.4.0
   Downloads:
   https://my.vmware.com/web/vmware/info/slug/
   infrastructure_operations_management/vmware_vrealize_automation/7_4
   Documentation:
   https://docs.vmware.com/en/vRealize-Automation/index.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6958
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6959

- -------------------------------------------------------------------------

6. Change log

   2018-04-12 VMSA-2018-0009
   Initial security advisory in conjunction with the release of
   vRealize Automation 7.4.0 on 2018-04-12

- -------------------------------------------------------------------------
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

     security-announce@lists.vmware.com
     bugt...@securityfocus.com
     fulldisclos...@seclists.org

   E-mail: secur...@vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFaz10uDEcm8Vbi9kMRAvTKAKD3Iwy3sJANhn+Sqf9TQJ0aYh31JQCgsYat
ElKsG4vJEpt+AhOtn8em1yU=
=n+Gt
-----END PGP SIGNATURE-----

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
https://lists.vmware.com/mailman/listinfo/security-announce