SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware vRealize Vendors:   VMware
VMware vRealize Operations Lets Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID:  1036999
SecurityTracker URL:  http://securitytracker.com/id/1036999
CVE Reference:   CVE-2016-7457   (Links to External Site)
Date:  Oct 12 2016
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1.0, 6.2.0a, 6.2.1, 6.3.0
Description:   A vulnerability was reported in VMware vRealize Operations. A remote authenticated user can gain elevated privileges.

A remote authenticated low-privileged user can gain elevated privileges on the target application. This can be exploited to gain full access on the target application and to stop and delete virtual machines managed by the vCenter system.

Edgar Carvalho reported this vulnerability.

Impact:   A remote authenticated user can gain elevated privileges on the target system.
Solution:   The vendor is developing a fix.

The vendor advisory is available at:

http://www.vmware.com/security/advisories/VMSA-2016-0016.html

Vendor URL:  www.vmware.com/security/advisories/VMSA-2016-0016.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Security-announce] NEW VMSA-2016-0016 - vRealize Operations (vROps) updates address privilege escalation vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------------
- ---
                           VMware Security Advisory
 
Advisory ID: VMSA-2016-0016
Severity:    Critical
Synopsis:    vRealize Operations (vROps) updates address privilege
escalation
             vulnerability
Issue date:  2016-10-11
Updated on:  2016-10-11 (Initial Advisory)
CVE number:  CVE-2016-7457
 
1. Summary
 
   vRealize Operations (vROps) updates address privilege escalation
   vulnerability.
 
2. Relevant Products
 
   vRealize Operations (vROps)
 
3. Problem Description
 
   vROps privilege escalation issue
 
   vROps contains a privilege escalation vulnerability. Exploitation of
this
   issue may allow a vROps user who has been assigned a low-privileged role
to
   gain full access over the application. In addition it may be possible to
   stop and delete Virtual Machines managed by vCenter.
 
   VMware would like to thank Edgar Carvalho for reporting this issue to
us.
 
   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2016-7457 to this issue.
 
   Column 5 of the following table lists the action required to remediate
the
   vulnerability in each release, if a solution is available.
 
   VMware        Product    Running            Replace with/
   Product       Version    on       Severity  Apply Patch       Workaround
   ============  =========  =======  ========  ================  ==========
   vRealize      6.3.0      Any      Critical  patch pending     KB2147215
   Operations
   vRealize      6.2.1      Any      Critical  patch pending     KB2147247
   Operations
   vRealize      6.2.0a     Any      Critical  patch pending     KB2147246
   Operations
   vRealize      6.1.0      Any      Critical  patch pending     KB2147248
   Operations
   vRealize      6.0.x      Any      N/A       not affected      N/A
   Operations
   vRealize      5.x        Any      N/A       not affected      N/A
   Operations
 
4. Solution
 
   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.
 
   vRealize Operations
   Downloads and Documentation:
  
https://my.vmware.com/en/web/vmware/info/slug/infrastructure_operations_man
agement/vmware_vrealize_operations/6_3
 
5. References
 
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7457
   https://kb.vmware.com/kb/2147215
   https://kb.vmware.com/kb/2147247
   https://kb.vmware.com/kb/2147246
   https://kb.vmware.com/kb/2147248
 
- ------------------------------------------------------------------------
 
6. Change log
 
   2016-10-11 VMSA-2016-0016 Initial security advisory in conjunction with
the
   release of vROps patches on 2016-10-11.
 
- ------------------------------------------------------------------------
 
7. Contact
 
   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
 
   This Security Advisory is posted to the following lists:
 
    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org
 
   E-mail: security at vmware.com
   PGP key at: https://kb.vmware.com/kb/1055
 
   VMware Security Advisories
   http://www.vmware.com/security/advisories
 
   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html
 
   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
   Twitter
   https://twitter.com/VMwareSRC
 
   Copyright 2016 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFX/R/UDEcm8Vbi9kMRAj3FAJ43HMAzNewwue2rxnFswh3hhYqOigCeNyZR
5o7laY/61IQP8umE2hrK4gw=
=wckh
-----END PGP SIGNATURE-----

_______________________________________________
Security-announce mailing list
Security-announce@lists.vmware.com
http://lists.vmware.com/mailman/listinfo/security-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC