Security Experts:

Flaw in AirWatch by VMware Leaks Info in Multi-Tenant Environments

VMware said on Wednesday that is has released an update to its AirWatch enterprise mobile management and security platform to address information disclosure vulnerabilities that could leak sensitive IT-related organizational information.

According to VMware, vulnerability (CVE-2014-8372) affects AirWatch by VMware On-Premise 7.3.x.x prior to 7.3.3.0 (FP3) and could enable a user that manages an AirWatch deployment in a multi-tenant environment to view the organizational information and statistics of another tenant.

VMware has fixed the issue in its cloud-based solution, but customers using on-premise deployments must apply the software update.

To perform a self-upgrade, AirWatch Administrator have been instructed to email [email protected] to request the install files. Alternatively, customers may engage an AirWatch Engineer to perform the upgrade on their behalf.

Denis Andzakovic of security-assessment.com was credited for reporting the vulnerability to VMware.

VMware acquired AirWatch in a $1.54 Billion deal announced in Jan. 2014. 

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.