Take Control of Your
Multi-Cloud Environment

VMSA-2017-0016

VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities.

1. Summary

VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities.

2. Relevant Products

• VMware AirWatch Console (AWC)
• VMware AirWatch Launcher for Android (AWL)
  
•  

3. Problem Description

a. VMware AirWatch Console stored XSS vulnerability  

VMware AirWatch Console contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device’s ‘Links’ page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL.

VMware would like to thank Nicodemo Gawronski for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4930 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

b. VMware AirWatch Console CSV file integrity vulnerability

VMware AirWatch Console contains a vulnerability that could allow an authenticated AWC user to add malicious data to an enrolled device’s log files. Successful exploitation of this issue could result in an unsuspecting AWC user opening a CSV file which contains malicious   content.

VMware would like to thank Nicodemo Gawronski for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4931 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

c. VMware AirWatch Launcher for Android UI privilege escalation

VMware AirWatch Launcher for Android contains a vulnerability that could allow an escalation of privilege from the launcher UI context menu to native UI functionality and privilege. Successful exploitation of this issue could result in an escalation of privilege.

VMware would like to thank Igor Shmakov for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4932 to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware AirWatch Console 9.2.0 

Downloads and Documentation:

https://support.air-watch.com/articles/115012658907

VMware AirWatch Launcher for Android 3.2.2

Downloads and Documentation:  

https://my.air-watch.com/products/AirWatch-Launcher/Android/v3.2.2/awall

5. References

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4930

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4931

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4932

6. Change log

2017-11-08: VMSA-2017-0016

Initial security advisory in conjunction with the release of VMware AirWatch Launcher for Android 3.2.2 on 2017-11-08.

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at: https://kb.vmware.com/kb/1055

VMware Security Advisories

http://www.vmware.com/security/advisories

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2017 VMware Inc. All rights reserved.