VMSA-2022-0014

Critical


VMSA-2022-0014

7.8-9.8

2022-05-18

2022-05-18

CVE-2022-22972, CVE-2022-22973

VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.
1. Impacted Products


  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
2. Introduction


Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.

3a. Authentication Bypass Vulnerability (CVE-2022-22972)

Description



VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Known Attack Vectors



A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Resolution



To remediate CVE-2022-22972, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds



Workarounds for CVE-2022-22972 have been documented in the VMware Knowledge Base articles listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation



A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0014-qna

Notes



None.

Acknowledgements



VMware would like to thank Bruno López of Innotec Security for reporting this vulnerability to us.

3b. Local Privilege Escalation Vulnerability (CVE-2022-22973)

Description



VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors



A malicious actor with local access can escalate privileges to ‘root’. 

Resolution



To remediate CVE-2022-22973 apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.

Workarounds



None.

Additional Documentation



A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0014-qna

Notes



None.

Acknowledgements



VMware would like to thank Kai Zhao of ToTU Security Team and Steven Yu for independently reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Access
21.08.0.1, 21.08.0.0
Linux
CVE-2022-22972
9.8
critical

Access
21.08.0.1, 21.08.0.0
Linux
CVE-2022-22973
7.8
important

None
Access
20.10.0.1, 20.10.0.0
Linux
CVE-2022-22972
9.8
critical

Access
20.10.0.1, 20.10.0.0
Linux
CVE-2022-22973
7.8
important

None
vIDM
3.3.6, 3.3.5, 3.3.4, 3.3.3
Linux
CVE-2022-22972
9.8
critical

vIDM
3.3.6, 3.3.5, 3.3.4, 3.3.3
Linux
CVE-2022-22973
7.8
important

None
vRealize Automation [1]
8.x
Linux
CVE-2022-22972, CVE-2022-22973
N/A
N/A
Unaffected
N/A
N/A
vRealize Automation (vIDM) [2]
7.6
Linux
CVE-2022-22972
9.8
critical

vRealize Automation (vIDM)
7.6
Linux
CVE-2022-22973
N/A
N/A
Unaffected
N/A
N/A


[1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[2] vRealize Automation 7.6 is affected since it uses embedded vIDM.

Impacted Product Suites that Deploy Response Matrix Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Cloud Foundation (vIDM)
4.3.x, 4.2.x, 4.1, 4.0.x
Any
CVE-2022-22972
9.8
critical

VMware Cloud Foundation (vIDM)
4.3.x, 4.2.x, 4.1, 4.0.x
Any
CVE-2022-22973
7.8
important

None
VMware Cloud Foundation (vRA)
3.x
Any
CVE-2022-22972
9.8
critical

vRealize Suite Lifecycle Manager (vIDM)
8.x
Any
CVE-2022-22972
9.8
critical

vRealize Suite Lifecycle Manager (vIDM)
8.x
Any
CVE-2022-22973
7.8
important

None
4. References
5. Change Log


2022-05-18: VMSA-2022-0014
Initial security advisory.

6. Contact


E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.

Facebook
Twitter
LinkedIn