Critical Severity – VMSA-2022-0014 – VMware Workspace ONE Access, Identity Manager and vRealize Automation

VMware published CRITICAL Severity VMSA-2022-0014. A critical vulnerabilities (CVE-2022-22972 and CVE-2022-22973) were discovered for:

  • VMware Workspace ONE Access (Access) 20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0
  • VMware Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3
  • VMware vRealize Automation (vRA) 7.6

The angle of the attack is a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

In addition to the products listed above, VMware adds:

  • VMware Cloud Foundation 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x
  • vRealize Suite Lifecycle Manager 8.x

as they include instances of VMware Identity Manager or VMware vRealize Automation.

These vulnerabilities are an authentication bypass and a privilege escalation. An authentication bypass means that an attacker with network access to Workspace ONE Access, VMware Identity Manager, and vRealize Automation can obtain administrator access. Privilege escalation means that an attacker with local access can become root on the virtual appliance. It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments. If your organization uses ITIL methodologies for change management, this would be considered an “emergency” change. Information on patches and workarounds can be found in the VMware Security Advisory

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Access21.08.0.1, 21.08.0.0LinuxCVE-2022-229729.8Critical KB88438KB88433FAQ
Access21.08.0.1, 21.08.0.0LinuxCVE-2022-229737.8Important KB88438NoneFAQ
Access20.10.0.1, 20.10.0.0LinuxCVE-2022-229729.8Critical KB88438KB88433FAQ
Access20.10.0.1, 20.10.0.0LinuxCVE-2022-229737.8Important KB88438NoneFAQ
vIDM3.3.6, 3.3.5, 3.3.4, 3.3.3LinuxCVE-2022-229729.8Critical KB88438KB88433FAQ
vIDM3.3.6, 3.3.5, 3.3.4, 3.3.3LinuxCVE-2022-229737.8Important KB88438NoneFAQ
vRealize Automation [1]8.xLinuxCVE-2022-22972, CVE-2022-22973N/AN/AUnaffectedN/AN/A
vRealize Automation (vIDM) [2]7.6LinuxCVE-2022-229729.8Critical KB88438KB88433FAQ
vRealize Automation (vIDM)7.6LinuxCVE-2022-22973N/AN/AUnaffectedN/A

Impacted Product Suites that Deploy Response Matrix Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Cloud Foundation (vIDM)4.3.x, 4.2.x, 4.1, 4.0.xAnyCVE-2022-229729.8Critical KB88438KB88433FAQ
VMware Cloud Foundation (vIDM)4.3.x, 4.2.x, 4.1, 4.0.xAnyCVE-2022-229737.8Important KB88438NoneFAQ
VMware Cloud Foundation (vRA)3.xAnyCVE-2022-229729.8Critical KB88438KB88433FAQ
vRealize Suite Lifecycle Manager (vIDM)8.xAnyCVE-2022-229729.8Critical KB88438KB88433FAQ
vRealize Suite Lifecycle Manager (vIDM)8.xAnyCVE-2022-229737.8Important KB88438NoneFAQ

References

Fixed Version(s): https://kb.vmware.com/s/article/88438
Workarounds: https://kb.vmware.com/s/article/88433

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22973

FIRST CVSSv3 Calculator:
CVE-2022-22972: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22973: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Frequently Asked Questions about VMSA-2022-0014 can be found at:
https://via.vmw.com/vmsa-2022-0014-qna

Please like and share to spread the knowledge in the community.

Subscribe to my channel : https://bit.ly/3vY16CT

If you want to chat with me please use Twitter: @AngrySysOps

Join my  VMware Knowledge Base Group: https://bit.ly/3w54tbc

Visit my FB page: https://www.facebook.com/AngrySysOps

Read my blog: https://angrysysops.com

Subscribe to my channel : https://bit.ly/3vY16CT


Please leave the comment