Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3764.2 VMSA-2022-0021 - VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities 10 August 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workspace ONE Access (Access) VMware Workspace ONE Access Connector (Access Connector) VMware Identity Manager (vIDM) VMware Identity Manager Connector (vIDM Connector) VMware vRealize Automation (vRA) VMware Cloud Foundation vRealize Suite Lifecycle Manager Publisher: VMware Operating System: Linux variants Windows VMware ESX Server Virtualisation Resolution: Patch/Upgrade CVE Names: CVE-2022-31665 CVE-2022-31664 CVE-2022-31663 CVE-2022-31662 CVE-2022-31661 CVE-2022-31660 CVE-2022-31659 CVE-2022-31658 CVE-2022-31657 CVE-2022-31656 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2022-0021.html Comment: CVSS (Max): 9.8 CVE-2022-31656 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H VMware has stated "This critical vulnerability should be patched or mitigated immediately" Revision History: August 10 2022: VMware has confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 is publicly available August 3 2022: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Critical Advisory ID: VMSA-2022-0021 CVSSv3 Range: 4.7-9.8 Issue Date: 2022-08-02 Updated On: 2022-08-02 (Initial Advisory) CVE(s): CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 Synopsis: VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities. 1. Impacted Products o VMware Workspace ONE Access (Access) o VMware Workspace ONE Access Connector (Access Connector) o VMware Identity Manager (vIDM) o VMware Identity Manager Connector (vIDM Connector) o VMware vRealize Automation (vRA) o VMware Cloud Foundation o vRealize Suite Lifecycle Manager 2. Introduction Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products. 3a. Authentication Bypass Vulnerability (CVE-2022-31656) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8 . Known Attack Vectors A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Resolution To remediate CVE-2022-31656, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-31656 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0 . Known Attack Vectors A malicious actor with administrator and network access can trigger a remote code execution. Resolution To remediate CVE-2022-31658, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) Description VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0 . Known Attack Vectors A malicious actor with administrator and network access can trigger a remote code execution. Resolution To remediate CVE-2022-31659, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8 . Known Attack Vectors A malicious actor with local access can escalate privileges to 'root'. Resolution To remediate CVE-2022-31660 and CVE-2022-31661 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Spencer McIntyre of Rapid7 for reporting these issues to us. 3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8 . Known Attack Vectors A malicious actor with local access can escalate privileges to 'root'. Resolution To remediate CVE-2022-31664, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us. 3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6 . Known Attack Vectors A malicious actor with administrator and network access can trigger a remote code execution. Resolution To remediate CVE-2022-31665, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us. 3g. URL Injection Vulnerability (CVE-2022-31657) Description VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9 . Known Attack Vectors A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain. Resolution To remediate CVE-2022-31657, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Tom Tervoort of Secura for reporting this issue to us. 3h. Path traversal vulnerability (CVE-2022-31662) Description VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3 . Known Attack Vectors A malicious actor with network access may be able to access arbitrary files. Resolution To remediate CVE-2022-31662, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7 . Known Attack Vectors Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window. Resolution To remediate CVE-2022-31663, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. Response Matrix - Access 21.08.x Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Access 21.08.0.1, Linux CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-31658 8.0 important KB89096 None FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-31659 8.0 important KB89096 None FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-31660, 7.8 important KB89096 None FAQ 21.08.0.0 CVE-2022-31661 Access 21.08.0.1, Linux CVE-2022-31664 7.8 important KB89096 None FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-31665 7.6 important KB89096 None FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-31657 5.9 moderate KB89096 None FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-31662 5.3 moderate KB89096 None FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-31663 4.7 moderate KB89096 None FAQ 21.08.0.0 Response Matrix - Identity Manager 3.3.x Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation 3.3.6, vIDM 3.3.5, Linux CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ 3.3.4 3.3.6, vIDM 3.3.5, Linux CVE-2022-31658 8.0 important KB89096 None FAQ 3.3.4 3.3.6, vIDM 3.3.5, Linux CVE-2022-31659 8.0 important KB89096 None FAQ 3.3.4 3.3.6, CVE-2022-31660, vIDM 3.3.5, Linux CVE-2022-31661 7.8 important KB89096 None FAQ 3.3.4 3.3.6, vIDM 3.3.5, Linux CVE-2022-31664 7.8 important KB89096 None FAQ 3.3.4 3.3.6, vIDM 3.3.5, Linux CVE-2022-31665 7.6 important KB89096 None FAQ 3.3.4 3.3.6, vIDM 3.3.5, Linux CVE-2022-31657 5.9 moderate KB89096 None FAQ 3.3.4 3.3.6, vIDM 3.3.5, Linux CVE-2022-31662 5.3 moderate KB89096 None FAQ 3.3.4 3.3.6, vIDM 3.3.5, Linux CVE-2022-31663 4.7 moderate KB89096 None FAQ 3.3.4 Response Matrix - Connectors Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, Access 22.05 Windows CVE-2022-31660, N/A N/A Unaffected N/A N/A Connector CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, Access 21.08.0.1, Windows CVE-2022-31660, N/A N/A Unaffected N/A N/A Connector 21.08.0.0 CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 vIDM 3.3.6, Connector 3.3.5, Windows CVE-2022-31662 5.3 moderate KB89096 None FAQ 3.3.4 CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, vIDM 3.3.6, CVE-2022-31659, Connector 3.3.5, Windows CVE-2022-31660, N/A N/A Unaffected N/A N/A 3.3.4 CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 vIDM 19.03.0.1 Windows CVE-2022-31662 5.3 moderate KB89096 None FAQ Connector CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, vIDM CVE-2022-31659, Connector 19.03.0.1 Windows CVE-2022-31660, N/A N/A Unaffected N/A N/A CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 Response Matrix - vRealize Automation (vIDM) Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, vRealize CVE-2022-31659, Automation 8.x Linux CVE-2022-31660, N/A N/A Unaffected N/A N/A [1] CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 vRealize Automation 7.6 Linux CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-31658 8.0 important KB89096 None FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-31659 8.0 important KB89096 None FAQ (vIDM) [2] vRealize CVE-2022-31660, Automation 7.6 Linux CVE-2022-31661 7.8 important KB89096 None FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-31664 7.8 important KB89096 None FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-31665 7.6 important KB89096 None FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-31657 5.9 moderate KB89096 None FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-31662 5.3 moderate KB89096 None FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-31663 4.7 moderate KB89096 None FAQ (vIDM) [2] [1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM. [2] vRealize Automation 7.6 is affected since it uses embedded vIDM. Impacted Product Suites that Deploy vIDM Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation VMware 4.4.x, Cloud 4.3.x, Any CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ Foundation 4.2.x (vIDM) CVE-2022-31658, 8.0, CVE-2022-31659, 8.0, VMware CVE-2022-31660, 7.8, Cloud 4.4.x, CVE-2022-31661, 7.8, Foundation 4.3.x, Any CVE-2022-31664, 7.8, important KB89096 None FAQ (vIDM) 4.2.x CVE-2022-31665, 7.6, CVE-2022-31657, 5.9, CVE-2022-31662, 5.3, CVE-2022-31663 4.7 vRealize Suite Lifecycle 8.x Any CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ Manager (vIDM) CVE-2022-31658, 8.0, CVE-2022-31659, 8.0, vRealize CVE-2022-31660, 7.8, Suite CVE-2022-31661, 7.8, Lifecycle 8.x Any CVE-2022-31664, 7.8, important KB89096 None FAQ Manager CVE-2022-31665, 7.6, (vIDM) CVE-2022-31657, 5.9, CVE-2022-31662, 5.3, CVE-2022-31663 4.7 Impacted Product Suites that Deploy vRA Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation VMware Cloud 3.x Any CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ Foundation (vRA) CVE-2022-31658, 8.0, VMware CVE-2022-31660, 7.8, Cloud CVE-2022-31661, 7.8, Foundation 3.x Any CVE-2022-31664, 7.8, important KB89096 None FAQ (vRA) CVE-2022-31665, 7.6, CVE-2022-31662, 5.3, CVE-2022-31663 4.7 VMware Cloud 3.x Any CVE-2022-31659 N/A N/A Unaffected N/A N/A Foundation (vRA) VMware Cloud 3.x Any CVE-2022-31657 N/A N/A Unaffected N/A N/A Foundation (vRA) 4. References Fixed Version(s): https://kb.vmware.com/s/article/89096 Workarounds: https://kb.vmware.com/s/article/89084 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31657 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31663 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665 FIRST CVSSv3 Calculator: CVE-2022-31656: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-31657: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:N/UI:R/S:U/C:H/I:L/A:N CVE-2022-31658: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2022-31659: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/ PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2022-31660: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-31661: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-31662: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-31663: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2022-31664: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/ PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-31665: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/ PR:H/UI:N/S:C/C:L/I:H/A:N 5. Change Log 2022-08-02: VMSA-2022-0021 Initial security advisory. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYvMNoMkNZI30y1K9AQjmOBAAr1gOctv30yQYK6idYqLzfBDk3lkTffd0 PDx8maTUXshL5wSJgjMoMbsAHAIZISE07DFpkoufpz1CrrD7CbtMljFXV9wkeIR8 07qwwI+hrNmSwLUou3TNUMIPFbi623JEJ+Z8o6XEWgTVPh7xZP3cIcUQlwuAPfbI TS7QDySRQODtJwi1ewvDn4nIV3hpD2hG4SQzKGGCGpKqH4OXXhAwmIM2Ey5oc5JQ 3jLIzHUtpX5G0l0kMyNyUaq/KrmTCenmCrn1pZwpPbhkzfY6w2bHGwHaSGuGRQ5S F3RPcfRp0aNPKL1V/Fq8hbIIMQTybLimbWdqfs5x7/t3/Y8Qd2zSM42n6ucTM5B0 zka50XPTva+BiJ6dYnPRv3crCsaGzvyORTxAOCik9a3idJHTh8wSi6Hkt87JRR5d VfyrgT3qO3W7mz2ulkZCsQywvbBZEm/14dKlpwsaZgqJfaI2+9qADngFfvdDvwn0 79/hQWW/MhT8eeZmIjA/cYFzYQh1Azv2U+6zm5vhU/Eoc+UEjdg0fPp59eeJ1D7T vTwfB+eF9buSrtS2NVSiWu+W7DQbcQ6SactnhoL4nqsANcZR9MIahXvFVcCRKqv6 kD1GtZQnywFhZWjkRR5Jvphtj6ROzn9sXXSZ9jZqVbtC8Sz2LYAtadENYQ/N8AgG 6yeuHILYAeg= =davy -----END PGP SIGNATURE-----