VMware has fixed a bug it already fixed, but then re-introduced to its products.
This odd story starts on June 11th, 2018, when VMware advised that the AirWatch Agent possessed a remote code execution vulnerability.
Known as CVE-2018-6968, the bug had the potential to allow “unauthorized creation and execution of files in the Agent sandbox and other publicly accessible directories such as those on the SD card by a malicious administrator.”
All releases of the AirWatch Agent for Android up to version 8.2 had the bug, which VMware’s fix squashed.
Which would ordinarily be the end of the matter.
But VMware has now released version 8.3.3 of the Agent, with an that advisory reveals that the new release “resolves the inadvertent re-introduction of CVE-2018-6968 in AirWatch Agent for Android 8.3.0 and 8.3.1.”
iTnews hasn’t seen a mess quite like this for some time, so here’s the timeline just to make it plain:
- Version 8.2 of the AirWatch agent had a bug so VMware issued a fix;
- Version 8.3.0 and 8.3.1, which you’d imagine would have removed the bug, instead put the bug back in;
- Version 8.3.2, available now, doesn’t have the bug, promise!
VMware’s track record on security is generally pretty good: the company has issued just 23 security advisories for all of 2018 and several of those deal with the Meltdown and Spectre CPU design flaws that Intel kindly foisted on the world.
But the company has also had occasional quality issues: in 2016 it pulled a quarterly release of its flagship network virtualization product NSX after it proved unstable.