VMSA-2017-0020

VMware AirWatch Console updates address Broken Access Control vulnerability.

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2017-0020
VMware Security Advisory Severity:
 Moderate
VMware Security Advisory Synopsis:
 VMware AirWatch Console updates address Broken Access Control vulnerability.
VMware Security Advisory Issue date:
 2017-12-12
VMware Security Advisory Updated on:
2017-12-12 (Initial Advisory)
VMware Security Advisory CVE numbers:
CVE-2017-4942
 
1. Summary

VMware AirWatch Console updates address Broken Access Control vulnerability.

 
2. Relevant Products
  • VMware AirWatch Console (AWC)
  •  
3. Problem Description

VMware AirWatch Console (AWC) Broken Access Control  

 

VMware AirWatch Console (AWC) contains a Broken Access Control vulnerability. Successful exploitation of this issue could result in end-user device details being disclosed to an unauthorized administrator.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4942 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Airwatch Console
Product Version 9.x
Running on Any
Severity Moderate
Replace with/ Apply Patch
9.2.2*  
Workaround
KB115015676547  


*Additional patches are available for supported Airwatch releases. Please see KB115015676547 for more information.
 

4. Solution

 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

VMware AirWatch Console 9.2.2 

Downloads and Documentation:

https://support.air-watch.com/articles/115015625647
 

5. References

 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4942
https://support.air-watch.com/articles/115015676547
https://www.air-watch.com/en/about/contact-us
https://support.air-watch.com/articles/115015625647

6. Change log

 

2017-12-12: VMSA-2017-0020

 

Initial security advisory in conjunction with the release of VMware AirWatch Console patches on 2017-12-12.

 

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at: https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2017 VMware Inc. All rights reserved.