-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
                           VMware Security Advisory

Advisory ID: VMSA-2018-0028
Severity:    Moderate
Synopsis:    VMware vRealize Log Insight updates address an
             authorization bypass vulnerability
Issue date:  2018-11-13
Updated on:  2018-11-13 (Initial Advisory)
CVE number:  CVE-2018-6980

1. Summary

   VMware vRealize Log Insight updates address an authorization bypass
   vulnerability

2. Relevant Products

   VMware vRealize Log Insight (vRLI)

3. Problem Description

   vRealize Log Insight improper authorization vulnerability

   VMware vRealize Log Insight contains a vulnerability due to improper
   authorization in the user registration method. Successful
   exploitation of this issue may allow Admin users with view only
   permission to perform certain administrative functions which they
   are not allowed to perform.

   VMware would like to thank Piotr Madej of ING Tech Poland for
   reporting this issue to us.

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   assigned the identifier CVE-2018-6980 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is
   available.

   VMware    Product   Running             Replace with/  Mitigations/
   Product   Version   on        Severity  Apply patch   Workarounds
   ======== ========  ========= ========= ============   ============
     vRLI     4.7.x    Virtual   Moderate     4.7.1         None
                               Appliance
     vRLI     4.6.x    Virtual   Moderate     4.6.2         None
                       Appliance

4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   VMware vRealize Log Insight 4.7.1
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/info/slug/infrastructure_operations
   _management/vmware_vrealize_log_insight/4_7
   VMware vRealize Log Insight 4.6.2
   Downloads and Documentation:
   https://my.vmware.com/web/vmware/info/slug/infrastructure_operations
   _management/vmware_vrealize_log_insight/4_6


5. References

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6980

- -----------------------------------------------------------------------

6. Change log

   VMSA-2018-0028 2018-11-13 Initial security advisory in conjunction
   with the release of vRLI 4.7.1 and 4.6.2 on 2018-11-13.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:
   security-announce@lists.vmware.com
   bugtraq@securityfocus.com
   fulldisclosure@seclists.org

   E-mail: security@vmware.com
   PGP key at: https://kb.vmware.com/kb/1055

   VMware Security Advisories
   https://www.vmware.com/security/advisories

   Consolidated list of VMware Security Advisories
   https://kb.vmware.com/kb/2078735

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html
   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   VMware Security & Compliance Blog
   https://blogs.vmware.com/security

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2018 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.4.1 (Build 490)
Charset: utf-8

wj8DBQFb6zpGDEcm8Vbi9kMRAsj+AKCpkcveWPZKH9monC7SGwP5IYDUZwCgg99c
qVgwGc3G0fLTomLhyRq98is=
=T+RY
-----END PGP SIGNATURE-----