Critical Severity – VMSA-2022-0014 – VMware Workspace ONE Access, Identity Manager and vRealize Automation

VMware published CRITICAL Severity VMSA-2022-0014. A critical vulnerabilities (CVE-2022-22972 and CVE-2022-22973) were discovered for:

  • VMware Workspace ONE Access (Access),,,
  • VMware Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3
  • VMware vRealize Automation (vRA) 7.6

The angle of the attack is a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

In addition to the products listed above, VMware adds:

  • VMware Cloud Foundation 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x
  • vRealize Suite Lifecycle Manager 8.x

as they include instances of VMware Identity Manager or VMware vRealize Automation.

These vulnerabilities are an authentication bypass and a privilege escalation. An authentication bypass means that an attacker with network access to Workspace ONE Access, VMware Identity Manager, and vRealize Automation can obtain administrator access. Privilege escalation means that an attacker with local access can become root on the virtual appliance. It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments. If your organization uses ITIL methodologies for change management, this would be considered an “emergency” change. Information on patches and workarounds can be found in the VMware Security Advisory

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Access21.08.0.1, KB88438KB88433FAQ
Access21.08.0.1, KB88438NoneFAQ
Access20.10.0.1, KB88438KB88433FAQ
Access20.10.0.1, KB88438NoneFAQ
vIDM3.3.6, 3.3.5, 3.3.4, 3.3.3LinuxCVE-2022-229729.8Critical KB88438KB88433FAQ
vIDM3.3.6, 3.3.5, 3.3.4, 3.3.3LinuxCVE-2022-229737.8Important KB88438NoneFAQ
vRealize Automation [1]8.xLinuxCVE-2022-22972, CVE-2022-22973N/AN/AUnaffectedN/AN/A
vRealize Automation (vIDM) [2]7.6LinuxCVE-2022-229729.8Critical KB88438KB88433FAQ
vRealize Automation (vIDM)7.6LinuxCVE-2022-22973N/AN/AUnaffectedN/A

Impacted Product Suites that Deploy Response Matrix Components:

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
VMware Cloud Foundation (vIDM)4.3.x, 4.2.x, 4.1, 4.0.xAnyCVE-2022-229729.8Critical KB88438KB88433FAQ
VMware Cloud Foundation (vIDM)4.3.x, 4.2.x, 4.1, 4.0.xAnyCVE-2022-229737.8Important KB88438NoneFAQ
VMware Cloud Foundation (vRA)3.xAnyCVE-2022-229729.8Critical KB88438KB88433FAQ
vRealize Suite Lifecycle Manager (vIDM)8.xAnyCVE-2022-229729.8Critical KB88438KB88433FAQ
vRealize Suite Lifecycle Manager (vIDM)8.xAnyCVE-2022-229737.8Important KB88438NoneFAQ


Fixed Version(s):

Mitre CVE Dictionary Links:

FIRST CVSSv3 Calculator:

Frequently Asked Questions about VMSA-2022-0014 can be found at:

Please like and share to spread the knowledge in the community.

Subscribe to my channel :

If you want to chat with me please use Twitter: @AngrySysOps

Join my  VMware Knowledge Base Group:

Visit my FB page:

Read my blog:

Subscribe to my channel :

Please leave the comment