- VMware urges administrators to apply the patches as soon as possible for vulnerabilities, one of them being critical severity.
- Along with the security advisory, the company also published a questions and answers post to inform its user about the vulnerabilities and workarounds.
- VMware stated that they didn’t notice any vulnerability currently being exploited in the wild yet, and thus didn’t share proof-of-concept.
VMware has urged users to patch an authentication bypass security vulnerability. It affects local domain users and allows unauthenticated users to gain admin privileges. Along with a critical vulnerability that has a CVSS3 score of 9.8, the company also patched several important and moderate vulnerabilities. The critical vulnerability was reported by Petrus Viet from VNG Security.
Authentication bypass
The advisory published by VMware includes fixes for 10 vulnerabilities. These vulnerabilities affect:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
VMware also announced that there is currently no evidence that the critical vulnerability is being exploited in the wild. Along with fixes, VMware also provided a temporary workaround for users who can’t currently patch their software. It requires admins to disable all users except one administrator and login with SSH to restart horizon-workspace. But it is only a temporary solution and the company urges users to apply the patch as soon as possible.
- CVE-2022-31656: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
- CVE-2022-31658: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
- CVE-2022-31659: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
- CVE-2022-31660 and CVE-2022-31661: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
- CVE-2022-31664: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
- CVE-2022-31665: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6.
The company also published a Q&A about the vulnerabilities. In the post, the company said,
« Customers who have deployed a product listed in the VMSA are affected. To fully protect yourself and your organization, please install one of the patch versions or use the workarounds listed. There may be other protections available in your organization depending on your security posture, defense-in-depth strategies, and configurations of virtual machines.
The workaround only covers the critical vulnerability (CVE-2022-31656) and does not address the other issues. There are functional impacts, such as inventory sync failures and disablement of local users, if you use the workaround. »