copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.2351 - [Win] VMware AirWatch: Access confidential data - Existing account

Date: 11 December 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2351
          AirWatch by VMware product update addresses information
                        disclosure vulnerabilities
                             11 December 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware AirWatch
Publisher:         VMware
Operating System:  Windows
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-8372  

Original Bulletin: 
   http://www.vmware.com/security/advisories/VMSA-2014-0014.html

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

Advisories

VMSA-2014-0014

AirWatch by VMware product update addresses information disclosure 
vulnerabilities

VMware Security Advisory

Advisory ID: VMSA-2014-0014

Synopsis: AirWatch by VMware product update addresses information disclosure 
vulnerabilities

Issue date: 2014-12-10

Updated on: 2014-12-10 (Initial Advisory)

CVE numbers: CVE-2014-8372

1. Summary

AirWatch by VMware product update addresses information disclosure 
vulnerabilities

2. Relevant releases AirWatch by VMware on-premise 7.3.x.x prior to 7.3.3.0 
(FP3)

3. Problem Description 

a. AirWatch by VMware information disclosure vulnerability

AirWatch by VMware has direct object reference vulnerabilities. These issues 
may allow a user that manages an AirWatch deployment in a multi-tenant 
environment to view the organizational information and statistics of another 
tenant.

AirWatch Cloud has been patched to resolve this issue, On-Premise deployments
must be updated. See solution section for details.

VMware would like to thank Denis Andzakovic of security-assessment.com for 
reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2014-8372 to this issue.

Column 4 of the following table lists the action required to remediate the 
vulnerability in each release, if a solution is available.

VMware Product	Product Version 	Running on  	Replace with/Apply 
							Patch

AirWatch Cloud	N/A 			any 		No action required. 

AirWatch 	7.3.x.x 		any 		7.3.3.0 (FP3)
On-Premise 

4. Solution

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.

AirWatch On-Premise 

Downloads:

To perform a self-upgrade, please email support@air-watch.com to request the 
install files. (Please note that only requests submitted by your companys 
AirWatch Administrator(s) will be accepted).

Customers may also to engage an AirWatch Upgrades Engineer to perform the 
upgrade on their behalf. To engage an AirWatch Upgrades Engineer, please reach
out to your Account Executive for more information.

Release Documentation:

https://my.air-watch.com/

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8372

6. Change log

2014-12-10 VMSA-2014-0014

Initial security advisory in conjunction with the release of AirWatch 
on-premise 7.3.3.0 on 2014-12-10.

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce at lists.vmware.com bugtraq at securityfocus.com 
fulldisclosure at seclists.org

E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055

VMware Security Advisories http://www.vmware.com/security/advisories

VMware Security Response Policy 
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases 
https://www.vmware.com/support/policies/lifecycle.html

Twitter https://twitter.com/VMwareSRC

Copyright 2014 VMware Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVIjghxLndAQH1ShLAQJR8A//bCdrShp2QzCxITg++DOiN/uPvcdt2mWk
hZe6E6Y8xzIL1umR3T98wVmWE9XQoxodQ1/x1tSMliAUnO3kfObDbbv/YtVGO+cA
vkC6dwEPnNja2PQL+l784u0aDwH/7JUDkTzihvvHLTupPz3ztayX3q5KvRBvZjFm
vCMoKygXz5o6kAskc/doH2b2aYRgUa1qKWZVjrRbqGaMK0IpvN77JjaD6pE6pXAS
nqMPMQyYv8S8Zc/fT2jL5W1HuqSiqM9Xii6j+FPaCgKI4lN65InjAGcTb1SWF2RG
9ebE75s90l36Dg4dFYhgB6nHGY10eBjVtsiCyo1QL998DZZ5ZZD/brl9nedLcsc+
fusRjBcC9EPjJ/2FGakZD0rGO1CRskeQRwFqbTva4Mu+rgfRwv8dDbgTWbWOKcG+
0n2azqGvHP48NT/Ao070W8RuTlww5DD0VD/OKhNYDMP5qT+EiNKFGonFEIMn1/oJ
xcs5dKFvBm6BB0ib17xJ90Mo2ioS7DwJ/OLgcbL88W65f+A3AllqetgYCfN7PLMC
/9mhBsHub26RmVhPN+EsqGC96JwEQTKhhITtjocFs0KwMNYEnZUm7SarvTSvP86N
fANJyQ8i9SvtomSXBGQty7db9Jx32WTI021giO9gU3yi8WDgJAo6mCwiwtfcmInr
suB41/eoVnA=
=U/Es
-----END PGP SIGNATURE-----