-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.2438.3
 VMSA-2018-0021: Operating System-Specific Mitigations address L1 Terminal
           Fault - OS vulnerability in VMware Virtual Appliances
                               26 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMWare products
Publisher:         VMWare
Operating System:  Virtualisation
Impact/Access:     Access Privileged Data -- Existing Account
Resolution:        None
CVE Names:         CVE-2018-3620  

Reference:         ESB-2018.2416
                   ESB-2018.2398
                   ESB-2018.2370.2
                   ESB-2018.2368
                   ESB-2018.2348.3

Original Bulletin: 
   https://www.vmware.com/au/security/advisories/VMSA-2018-0021.html

Revision History:  July     26 2019: Updated advisory to include mitigated versions of products
                   November 30 2018: Updated advisory to include fixed versions of vCenter Server Appliance, vSphere Integrated Containers, and vRealize Automation in conjunction with the release of vCenter Server Appliance 6.5u2d on 2018-11-29.
                   August   21 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

VMSA-2018-0021.2

  Operating System-Specific Mitigations address L1 Terminal Fault - OS
  vulnerability in VMware Virtual Appliances.

      VMware Security Advisory



   VMware Security Advisory Advisory ID:
     VMSA-2018-0021.2
   VMware Security Advisory Severity:
     Moderate
   VMware Security Advisory Synopsis:
     Operating System-Specific Mitigations address L1 Terminal Fault -
   OS vulnerability in VMware Virtual Appliances.
   VMware Security Advisory Issue date:
     2018-08-14
   VMware Security Advisory Updated on:
     2018-07-25
   VMware Security Advisory CVE numbers:
     CVE-2018-3620

      1. Summary

   Operating System-Specific Mitigations address L1 Terminal Fault - OS
   vulnerability in VMware Virtual Appliances.



   The mitigations in this advisory are categorized as Operating System
   Specific Mitigations described by VMware Knowledge Base article 55636.

      2. Relevant Products

     * vCloud Usage Meter (UM)
     * Identity Manager (vIDM)
     * vCenter Server Appliance (vCSA)
     * vSphere Data Protection (VDP)
     * vSphere Integrated Containers (VIC)
     * vRealize Automation (vRA)

      3. Problem Description

   VMware Virtual Appliance Mitigations address L1 Terminal Fault - OS
   vulnerability. Successful exploitation of this issue may lead to local
   information disclosure of sensitive information. Unaffected products lines
   are documented in KB55807.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-3620 to this issue.



   Column 5 of the following table lists the action required to mitigate the
   vulnerability in each release, if a solution is available.


+-------------------------------------------------------------------------------+
|VMware |Product|Running|Severity|Replace_with/Apply_Patch|Mitigation/Workaround|
|Product|Version|  On   |        |                        |                     |
|-------+-------+-------+--------+------------------------+---------------------|
|UM     |3.x    |VA     |Moderate|Won't Fix               |KB52467              |
|-------+-------+-------+--------+------------------------+---------------------|
|vIDM   |3.x,   |VA     |Moderate|19.03                   |KB52284              |
|       |2.x    |       |        |                        |                     |
|-------+-------+-------+--------+------------------------+---------------------|
|vCSA   |6.7    |VA     |Moderate|6.7u1                   |KB52312              |
|-------+-------+-------+--------+------------------------+---------------------|
|vCSA   |6.5    |VA     |Moderate|6.5u2d                  |KB52312              |
|-------+-------+-------+--------+------------------------+---------------------|
|vCSA   |6.0    |VA     |Moderate|6.0u3i                  |KB52312              |
|-------+-------+-------+--------+------------------------+---------------------|
|vCSA   |5.5    |VA     |N/A     |Unaffected              |N/A                  |
|-------+-------+-------+--------+------------------------+---------------------|
|VDP    |6.x    |VA     |Moderate|6.1.11                  |None                 |
|-------+-------+-------+--------+------------------------+---------------------|
|VIC    |1.x    |VA     |Moderate|1.4.3                   |None                 |
|-------+-------+-------+--------+------------------------+---------------------|
|vRA    |7.x    |VA     |Moderate|7.5.0                   |KB52377              |
|-------+-------+-------+--------+------------------------+---------------------|
|vRA    |6.x    |VA     |Moderate|7.5.0                   |KB52497              |
+-------------------------------------------------------------------------------+

   4. Solution
   Please review the patch/release notes for your product and version and
   verify the checksum of your downloaded file.

   Identity Manager 19.03

   Downloads and Documentation:

   https://my.vmware.com/web/vmware/details?downloadGroup=VIDM_ONPREM_1903&productId=885&rPId=32629



   vCenter Server Appliance 6.7u1
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=VC67U1&productId=742&rPId=28531

   vCenter Server Appliance 6.5u2d
   Downloads and Documentation:
   https://my.vmware.com/group/vmware/details?productId=614&rPId=28806&downloadGroup=VC65U2D

   vCenter Server Appliance 6.0u3i

   Downloads and Documentation:

   https://my.vmware.com/web/vmware/details?downloadGroup=VC60U3I&productId=491&rPId=35159



   vSphere Data Protection 6.1.11

   Downloads and Documentation:

   https://my.vmware.com/web/vmware/details?downloadGroup=VDP6111&productId=491&rPId=35158



   vSphere Integrated Containers 1.4.3
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?productId=749&rPId=27736&downloadGroup=VIC143

   vRealize Automation 7.5.0
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/details?downloadGroup=VRA-750&productId=797&rPId=26779

   5. References



   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3620

   https://kb.vmware.com/kb/55807

   https://kb.vmware.com/kb/55636

   https://kb.vmware.com/kb/52467

   https://kb.vmware.com/kb/52284

   https://kb.vmware.com/kb/52312

   https://kb.vmware.com/kb/52377

   https://kb.vmware.com/kb/52497



   6. Change log



   2018-08-14: VMSA-2018-0021
   Initial security advisory.



   2018-11-29: VMSA-2018-0021.1
   Updated advisory to include fixed versions of vCenter Server
   Appliance, vSphere Integrated Containers, and vRealize Automation in
   conjunction with the release of vCenter Server Appliance 6.5u2d on
   2018-11-29.



   2019-07-25: VMSA-2018-0021.2
   Updated advisory to include mitigated versions of Identity Manager 19.03,
   vCenter Server Appliance 6.0u3i, and vSphere Data Protection 6.1.11.

   7. Contact



   E-mail list for product security notifications and announcements:

   https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXTqENWaOgq3Tt24GAQgwQBAAu57Q89UFS2jfAO/ZbxaLIYf1wSvaNwbI
NtB5sTmJUmPegRIyb1UpOcJWCP3cixxvsroHCz7iGNgDN85wC+tPvNUG/IOmk4H7
x29YYWGKjosmQg4/xc6Yg5eGeSQpbChUOmA/70M2lBos6IDaaFC3ky8klU49Flyg
iJLdKnEfR/FEisbv3fkV+ijn9lUiLRaGVnFfnYU2OtIohKNliFhyZWuuFZB987O9
GLZtLa5K6XvNkcp0qt0KoNxjsBwuZDrbGifTqczucv6tN4cm78zx0BtRrUalJ85Q
vOqKJecAIvaQWjwXDoeDm5ibsrjeNS6bZ/nKNskKJx4QAamDMN1TDcCzGTSAMruk
TKUu0eMgmGZtSTrn3ago1m+NE/mczeIiohMBGrup7FM9XCTZpNX1sJg62rW2k1TG
8ncHzKAMw4d00/wxgFkfyP3SdKrunYwEUVy2pasPAjVnFqib4QRpIVcDS3LVUgxd
PfzUfbtYvaBEAOp7MK+xh+xnTqHlUUBO5nmVy0Y0bChYWEjI+dFs3ikVF1Z7kGMc
sy0D6yyfPkUZrOISiwYvG6lrj5qSJr8RvyqS42ukeAaiXiEAFMSh9o7OjfOnRIhJ
gvrohwbTu86E98nbEGynOh2m0YZGIo/9sSOvWxmvv883eda2fqchmabcGvvmfTLH
k7RaPxmpG7w=
=oEx1
-----END PGP SIGNATURE-----