Today, VMware has released the following new security advisory:
“VMSA-2018-0031 – vRealize Operations updates address a local privilege escalation vulnerability”
This documents the remediation of an important severity local privilege escalation vulnerability (CVE-2018-6978) in vRealize Operations (vROps). The issue exists due to improper permissions of support scripts. Admin** user of the vROps application with shell access may exploit this issue to elevate the privileges to root on a vROps machine.
**The admin user (non-sudoer) should not be confused with root of the vROps machine.
We would like to thank Alessandro Zanni, pentester at OVH for reporting this issue to us.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
Customers should review the security advisories and direct any questions to VMware Support.
Greetings from the VMware Security Response Center!
Yesterday Kubernetes disclosed CVE-2018-1002105 – a critical severity vulnerability in the Kubernetes API server. For more details on the vulnerability please see Kubernetes’ announcement here:
This vulnerability affects the following VMware products:
-VMware Pivotal Container Service (PKS)
-VMware vCloud Director Container Service Extension (CSE)
There will be no VMware Security Advisory since remediation for these products has already been documented in a separate advisory or the offering’s github page.
PKS – Fixed in 1.2.3
CSE – Fixed in 1.2.5
Photon OS – Fixed in 1.10.11-1 and 1.11.5-1
For our service offerings that use Kubernetes, mitigations are already in place which have closed down the critical severity attack vector associated with CVE-2018-1002105 while full remediation is in progress.