A recently-patched hole in VMware's AirWatch on-premise mobile device management solution allowed users who manage MDM solutions in multi-tenant environments to access other tenants' data.
VMware this week issued a patch to close an information disclosure hole in its Airwatch on-premise mobile device management solution.
In its security advisory for the flaw, VMSA-2014-0014, VMware said AirWatch On-Premise had direct object reference vulnerabilities which could allow a manager of an MDM deployment in a multi-tenant environment to see organisational information and statistics of other tenants.
Direct object reference vulnerabilities allow attackers to user bypass authentication and access system resources such as databases and files directly. Vulnerable applications take user input in browser links, and retrieve files without performing authorisation checks.
A common flaw, direct object reference is one of the easiest vulnerabilties for attackers to exploit, according to the Open Web Application Security Project (OWASP).
The accounts of some 500 Dodo Power and Gas customers were exposed due to a direct object reference vulnerability two years ago, while Australia Post had to withdraw its Send and Click service in 2012 after a similar flaw was discovered.
The vulnerable versions of AirWatch include 7.3.x.x before 7.3.30 FP3, the company said.
VMware's AirWatch Cloud solution has already been patched for the flaw.
iTnews has contacted VMware for further detail.