Virtualization Technology News and Information
VMware Identity Manager (vIDM) 2.x and vRealize Automation (vRA) 7.x Security Patches Released

Attack Virus 

This week, VMware released patches for a security vulnerability identified in two of its products allowing an attacker to elevate privileges on a compromised machine. The virtualization giant patched CVE-2016-5335 in its Identity Manager (vIDM) and vRealize Automation (vRA) software.

"Exploitation of this issue may lead to an attacker with access to a low-privileged account to escalate their privileges to that of root," VMware said in advisory VMSA-2016-0013.

The local privilege escalation identified described by CVE-2016-5335 affects both vIDM 2.x and vRA 7.x.  VMware said Identity Manager users running version 2.x should move to 2.7, and vRealize Automation users on 7.0.x to move to 7.1

Identity Manager is VMware's identity management service for the mobile cloud.  Managers can provision application permissions, manage access controls and self-service options, as well as enable single sign-on for SaaS, Web, cloud and mobile applications.  While vRealize Automation enables the deployment of applications and services across a cloud infrastructure.

At the same time, VMware also patched a separate remote code execution flaw in vRealize Automation identified as CVE-2016-5336.

The vRA remote code execution identified described by CVE-2016-5336 allows for the compromise of a low-privileged account via port 40002.  The issue only affects vRA 7.0.x and the vulnerable service was introduced in 7.0.  Successful exploitation has limited gains as the service account was designed to use minimal privileges.  Because of that, VMware classified the issue as important and not critical.

"We want to stress that while both of these issues fall in the important severity range (please see our response policies for more information) when chained together they present the opportunity for a complete compromise of a vRA 7.0.x appliance," stated Edward Hawkins, Senior Program Manager, VMware Security Response Center.  "We strongly recommend updating to vRA 7.1 as soon as possible.  Customers that cannot upgrade vRA immediately can implement the workaround documented in KB2146585 and/or limit access to port 40002 via an external firewall as a mitigation."

For the solution, review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware Identity Manager 2.7 Downloads and Documentation.

vRealize Automation 7.1 Downloads and Documentation.

Published Thursday, August 25, 2016 4:49 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2016>