Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1488.2 Critical Severity - VMSA-2022-0011 - VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware vRealize Automation (vRA) VMware Cloud Foundation vRealize Suite Lifecycle Manager Publisher: VMware Operating System: Virtualisation Linux variants Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-22961 CVE-2022-22960 CVE-2022-22959 CVE-2022-22958 CVE-2022-22957 CVE-2022-22956 CVE-2022-22955 CVE-2022-22954 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2022-0011.html Comment: CVSS (Max): 9.8 CVE-2022-22954 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Revision History: April 14 2022: VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild April 7 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Critical Advisory ID: VMSA-2022-0011.1 CVSSv3 Range: 5.3-9.8 Issue Date: 2022-04-06 Updated On: 2022-04-13 CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. 1. Impacted Products o VMware Workspace ONE Access (Access) o VMware Identity Manager (vIDM) o VMware vRealize Automation (vRA) o VMware Cloud Foundation o vRealize Suite Lifecycle Manager 2. Introduction Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products. 3a. Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954) Description VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8 . Known Attack Vectors A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. Resolution To remediate CVE-2022-22954, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-22954 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna Notes VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us. 3b. OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956) Description VMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 ACS framework. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.8 . Known Attack Vectors A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. Resolution To remediate CVE-2022-22955 and CVE-2022-22956, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-22955 and CVE-2022-22956 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna Notes These issues only impact Workspace ONE Access. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us. 3c. JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.1 . Known Attack Vectors A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution. Resolution To remediate CVE-2022-22957 and CVE-2022-22958, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-22957 and CVE-2022-22958 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us. 3d. Cross Site Request Forgery Vulnerability (CVE-2022-22959) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8 . Known Attack Vectors A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI. Resolution To remediate CVE-2022-22959, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-22959 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us. 3e. Local Privilege Escalation Vulnerability (CVE-2022-22960) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8 . Known Attack Vectors A malicious actor with local access can escalate privileges to 'root'. Resolution To remediate CVE-2022-22960, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-22960 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us. 3f. Information Disclosure Vulnerability (CVE-2022-22961) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3 . Known Attack Vectors A malicious actor with remote access may leak the hostname of the target system. Successful exploitation of this issue can lead to targeting victims. Resolution To remediate CVE-2022-22961, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-22961 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us. Response Matrix - Access 21.08.x: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Access 21.08.0.1, Linux CVE-2022-22954 9.8 critical KB88099 KB88098 FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-22955, 9.8 critical KB88099 KB88098 FAQ 21.08.0.0 CVE-2022-22956 Access 21.08.0.1, Linux CVE-2022-22957, 9.1 critical KB88099 KB88098 FAQ 21.08.0.0 CVE-2022-22958 Access 21.08.0.1, Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-22961 5.3 moderate KB88099 None FAQ 21.08.0.0 Response Matrix - Access 20.10.x: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Access 20.10.0.1, Linux CVE-2022-22954 9.8 critical KB88099 KB88098 FAQ 20.10.0.0 Access 20.10.0.1, Linux CVE-2022-22955, 9.8 critical KB88099 KB88098 FAQ 20.10.0.0 CVE-2022-22956 Access 20.10.0.1, Linux CVE-2022-22957, 9.1 critical KB88099 KB88098 FAQ 20.10.0.0 CVE-2022-22958 Access 20.10.0.1, Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ 20.10.0.0 Access 20.10.0.1, Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ 20.10.0.0 Access 20.10.0.1, Linux CVE-2022-22961 5.3 moderate KB88099 None FAQ 20.10.0.0 Response Matrix - Identity Manager 3.3.x: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation 3.3.6, vIDM 3.3.5, Linux CVE-2022-22954 9.8 critical KB88099 KB88098 FAQ 3.3.4, 3.3.3 3.3.6, vIDM 3.3.5, Linux CVE-2022-22955, N/A N/A Unaffected N/A N/A 3.3.4, CVE-2022-22956 3.3.3 3.3.6, vIDM 3.3.5, Linux CVE-2022-22957, 9.1 critical KB88099 KB88098 FAQ 3.3.4, CVE-2022-22958 3.3.3 3.3.6, vIDM 3.3.5, Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ 3.3.4, 3.3.3 3.3.6, vIDM 3.3.5, Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ 3.3.4, 3.3.3 3.3.6, vIDM 3.3.5, Linux CVE-2022-22961 5.3 moderate KB88099 None FAQ 3.3.4, 3.3.3 Response Matrix - vRealize Automation (vIDM): Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation CVE-2022-22954, CVE-2022-22955, vRealize CVE-2022-22956, Automation 8.x Linux CVE-2022-22957, N/A N/A Unaffected N/A N/A [1] CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 vRealize Automation 7.6 Linux CVE-2022-22954 N/A N/A Unaffected N/A N/A (vIDM) vRealize CVE-2022-22955, Automation 7.6 Linux CVE-2022-22956 N/A N/A Unaffected N/A N/A (vIDM) vRealize CVE-2022-22957, Automation 7.6 Linux CVE-2022-22958 9.1 critical KB88099 KB88098 FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-22961 N/A N/A Unaffected N/A N/A (vIDM) [1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM. [2] vRealize Automation 7.6 is affected since it uses embedded vIDM. Impacted Product Suites that Deploy Response Matrix Components: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation CVE-2022-22954, 9.8, VMware CVE-2022-22957, 9.1, Cloud 4.x Any CVE-2022-22958, 9.1, critical KB88099 KB88098 FAQ Foundation CVE-2022-22959, 8.8, (vIDM) CVE-2022-22960, 7.8, CVE-2022-22961 5.3 VMware CVE-2022-22957, 9.1, Cloud 3.x Any CVE-2022-22958, 9.1, critical KB88099 KB88098 FAQ Foundation CVE-2022-22959, 8.8, (vRA) CVE-2022-22960 7.8 vRealize CVE-2022-22954, 9.8, Suite CVE-2022-22957, 9.1, Lifecycle 8.x Any CVE-2022-22958, 9.1, critical KB88099 KB88098 FAQ Manager CVE-2022-22959, 8.8, (vIDM) CVE-2022-22960, 7.8, CVE-2022-22961 5.3 4. References Fixed Version(s): https://kb.vmware.com/s/article/88099 Workarounds: https://kb.vmware.com/s/article/88098 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22955 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22956 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22957 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22958 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22959 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22961 FIRST CVSSv3 Calculator: CVE-2022-22954: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-22955: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-22956: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-22957: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2022-22958: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2022-22959: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2022-22960: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-22961: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:L/I:N/A:N 5. Change Log 2022-04-06: VMSA-2022-0011 Initial security advisory. 2022-04-13: VMSA-2022-0011.1 VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYld0e+NLKJtyKPYoAQhGQQ/7BBFQGkbKLB+w5/QipcSUEHEw25U6DoOi Tb9/UWVaKvf7tZ/NgcfwgRr4cvWFjNiyevxpyjeNTdRjczYr0l2HvbRRcAyV7dB8 fGdT1aEX8zK0bZA09BmGmJm64QDnjaJu8ZtFsmgXHu/71JpR37XpUOOaGMtxZfe2 zbvEzCWarm9SX9WZn270Ge4De0HIqsIRL0WTo0MSNJtGmCugHtnG0aK+6E5o1ZIZ 1TQvTjpVj8mKKA6RJ8QySLcnyylGTNap7CrxpJe9dkgO+hGf/29mTuPI8IowcYnl 9KvHmB6VxChkRgobwO40Lh28PSH9l/u2uub06i/eA6NUUKlrVG7YqnVsgaqZLIIm EydfSFBU1d6K8qNBxiGv544p5xL6RuQFe/BHroUBC5XRd79MuY1emTqnZQsMTYS8 Hjzfs+FLW8QObhiq8DcQWjR/jv8PC0a0UqrXQvY2j7yrs+cdvSSOrrqcIz8dAT8+ 5hviZ9OMIh8O7EDQVzBlAZUwvtOl/PV6lBAl+YlU2B1jQBgI7hr90P3reb/XUjOI qldHm/n8HbG6CKaAtQY8w0kdqcDcYvVdsOrVNcfWs2d0YaxVEcwV2sFxByaFeGsf +jVnxkpkWByO4dmvuvKlQ9quxvMb6yFXoMqVgmK+p8VBe/4Ey+dn3SeljvGGC+iZ Og3DSMDfPfI= =/IS7 -----END PGP SIGNATURE-----