[German]Just yesterday, in the blog post VMware patches Spring4Shell RCE vulnerability CVE-2022-22965, I warned about a vulnerability in certain VMware products. Now the manufacturer has followed up and warns about critical vulnerabilities in various VMware products. This affects Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation and VMware Cloud Foundation products. Security updates to close the vulnerabilities are available.
Advertising
VMware has issued now a new warning VMSA-2022-0011 on April 6, 2022, about vulnerabilities listed in the products below.
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
Here is the compact overview of the vulnerabilities in question:
- CVE-2022-22954: Remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager due to server-side template injection. VMware has rated the severity of this issue as critical, with a maximum CVSSv3 base rating of 9.8.
- CVE-2022-22955, CVE-2022-22956: VMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 ACS framework. VMware has rated the severity of these vulnerabilities as critical, with a maximum CVSSv3 base rating of 9.8. A malicious actor can bypass the authentication mechanism and perform arbitrary operations based on exposed endpoints in the authentication framework.
- CVE-2022-22957, CVE-2022-22958: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain two remote code execution vulnerabilities. VMware has rated the severity of these vulnerabilities as critical, with a maximum CVSSv3 base rating of 9.1. A malicious actor with administrative access can trigger the deserialization of untrusted data via a malicious JDBC URI, which can lead to remote code execution.
- CVE-2022-22959: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a cross-site request forgery vulnerability. VMware has rated the severity of this vulnerability in the "Important" range with a maximum CVSSv3 base rating of 8.8. A malicious actor could cause a user to unintentionally validate a malicious JDBC URI through a cross-site request forgery.
- CVE-2022-22960: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. VMware has rated the severity of this vulnerability in the "Important" range with a maximum CVSSv3 base rating of 7.8. A malicious actor with local access could elevate privileges to "root".
- CVE-2022-22961: VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an information disclosure vulnerability due to too much information being returned. VMware has rated the severity of this issue as moderate, with a maximum CVSSv3 base rating of 5.3. A malicious actor with remote access could spy on the hostname of the target system. Successful exploitation of this issue can lead to victims being targeted.
VMware has provided security updates listed in VMSA-2022-0011. The vendor recommends administrators patch products in a timely manner. An additional blog post with a Q&A has been created for further support.
