VMSA-2017-0016

VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities.

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
  VMSA-2017-0016
VMware Security Advisory Severity:
  Important
VMware Security Advisory Synopsis:
  VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities.
VMware Security Advisory Issue date:
  2017-11-08
VMware Security Advisory Updated on:
  2017-11-08 (Initial Advisory)
VMware Security Advisory CVE numbers:
  CVE-2017-4930, CVE-2017-4931, CVE-2017-4932
 
1. Summary

VMware AirWatch Console and Launcher for Android updates resolve multiple vulnerabilities.

2. Relevant Products
  • VMware AirWatch Console (AWC)
  • VMware AirWatch Launcher for Android (AWL)
3. Problem Description

a. VMware AirWatch Console stored XSS vulnerability  

 

VMware AirWatch Console contains a vulnerability that could allow an authenticated AWC user to add a malicious URL to an enrolled device’s ‘Links’ page. Successful exploitation of this issue could result in an unsuspecting AWC user being redirected to a malicious URL.

 

VMware would like to thank Nicodemo Gawronski for reporting this issue to us.

 

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4930 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Airwatch Console
Product Version 9.x
Running on Any
Severity Moderate
Replace with/ Apply Patch 9.2.0+
Workaround None

 

 

b. VMware AirWatch Console CSV file integrity vulnerability

 

VMware AirWatch Console contains a vulnerability that could allow an authenticated AWC user to add malicious data to an enrolled device’s log files. Successful exploitation of this issue could result in an unsuspecting AWC user opening a CSV file which contains malicious   content.

VMware would like to thank Nicodemo Gawronski for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4931 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Airwatch Console
Product Version 9.x
Running on Any
Severity Moderate
Replace with/ Apply Patch 9.2.0+
Workaround None

 

 

c. VMware AirWatch Launcher for Android UI privilege escalation

 

VMware AirWatch Launcher for Android contains a vulnerability that could allow an escalation of privilege from the launcher UI context menu to native UI functionality and privilege. Successful exploitation of this issue could result in an escalation of privilege.

VMware would like to thank Igor Shmakov for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4932 to these issues.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product
Product Version
Running on
Severity
Replace with/ Apply Patch
Workaround
VMware Product Airwatch Launcher for Android
Product Version x.x
Running on Android
Severity Important
Replace with/ Apply Patch 3.2.2
Workaround None

 

 

4. Solution

 

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

 

VMware AirWatch Console 9.2.0 

Downloads and Documentation:

https://support.air-watch.com/articles/115012658907

 

VMware AirWatch Launcher for Android 3.2.2

Downloads and Documentation:  

https://my.air-watch.com/products/AirWatch-Launcher/Android/v3.2.2/awall

 

5. References

 

 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4930

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4931

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-4932

    

6. Change log

 

2017-11-08: VMSA-2017-0016

 

Initial security advisory in conjunction with the release of VMware AirWatch Launcher for Android 3.2.2 on 2017-11-08.

 

7. Contact

 

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at: https://kb.vmware.com/kb/1055

 

VMware Security Advisories

http://www.vmware.com/security/advisories

 

Consolidated list of VMware Security Advisories

http://kb.vmware.com/kb/2078735

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2017 VMware Inc. All rights reserved.

Sign up for Security Advisories

Enter your email address: