VMSA-2016-0018.3

VMware product updates address local privilege escalation vulnerability in Linux kernel

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2016-0018.3
VMware Security Advisory Severity:
  Important
VMware Security Advisory Synopsis:
  VMware product updates address local privilege escalation vulnerability in Linux kernel
VMware Security Advisory Issue date:
  2016-11-09
VMware Security Advisory Updated on:
  2016-11-22
VMware Security Advisory CVE numbers:
  CVE-2016-5195
 
1. Summary

VMware product updates address local privilege escalation vulnerability in Linux kernel.

2. Relevant Products
  • VMware Identity Manager
  • vRealize Automation
  • vRealize Operations
3. Problem Description

a. Local privilege escalation vulnerability in Linux kernel

 

The Linux kernel which ships with the base operating system of VMware Appliances contains a race condition in the way its memory subsystem handles copy-on-write (aka “Dirty COW”). Successful exploitation of the vulnerability may allow for local privilege escalation. The product lines listed in this advisory have been confirmed to be affected. VMware product lines that are not affected are documented in VMware Knowledge Base article 2147515.
 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5195 to this issue.  

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Mitigation/ Workaround
VMware Product VMware Identity Manager
Product Version 2.x
Running on VA
Severity Important
Replace with/ Apply Patch 2.8
Mitigation/ Workaround None
VMware Product vRealize Automation
Product Version 7.x
Running on VA
Severity Important
Replace with/ Apply Patch 7.2.0
Mitigation/ Workaround None
VMware Product vRealize Automation
Product Version 6.x
Running on VA
Severity Important
Replace with/ Apply Patch 6.2.5
Mitigation/ Workaround None
VMware Product vRealize Operations
Product Version 6.3.0
Running on VA
Severity Important
Replace with/ Apply Patch 6.4.0 or KB2147630
Mitigation/ Workaround None
VMware Product vRealize Operations
Product Version 6.2.1
Running on VA
Severity Important
Replace with/ Apply Patch 6.4.0 or KB2147668
Mitigation/ Workaround None
VMware Product vRealize Operations
Product Version 6.2.0a
Running on VA
Severity Important
Replace with/ Apply Patch 6.4.0 or KB2147667
Mitigation/ Workaround None
VMware Product vRealize Operations
Product Version 6.1.0
Running on VA
Severity Important
Replace with/ Apply Patch 6.4.0 or KB2147666
Mitigation/ Workaround None
VMware Product vRealize Operations
Product Version 6.0.3
Running on VA
Severity Important
Replace with/ Apply Patch 6.4.0 or KB2147664
Mitigation/ Workaround None
VMware Product vRealize Operations
Product Version 6.x
Running on Windows
Severity N/A
Replace with/ Apply Patch Not affected
Mitigation/ Workaround N/A
VMware Product vRealize Operations
Product Version 6.x
Running on Linux
Severity N/A
Replace with/ Apply Patch Not affected
Mitigation/ Workaround N/A
VMware Product vRealize Operations
Product Version 5.x
Running on VA
Severity Important
Replace with/ Apply Patch 6.4.0
Mitigation/ Workaround None
VMware Product vRealize Operations
Product Version 5.x
Running on Windows
Severity N/A
Replace with/ Apply Patch Not affected
Mitigation/ Workaround N/A
VMware Product vRealize Operations
Product Version 5.x
Running on Linux
Severity N/A
Replace with/ Apply Patch Not affected
Mitigation/ Workaround N/A

6. Change log

 

2016-11-09 VMSA-2016-0018
Initial security advisory in conjunction with the release of vROps patches on 2016-11-09.  

2016-11-15 VMSA-2016-0018.1
Security advisory update in conjunction with the release of vRealize Operations 6.4 on 2016-11-15.

2016-11-17 VMSA-2016-0018.2
Security advisory update in conjunction with the release of VMware Identity Manager 2.8 and vRealize Automation 6.2.5 on 2016-11-17.

2016-11-22 VMSA-2016-0018.3
Security advisory update in conjunction with the release of vRealize Automation 7.2.0 on 2016-11-22.

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2016 VMware Inc. All rights reserved.

 

Sign up for Security Advisories

Enter your email address: