VMware published CRITICAL Severity VMSA-2022-0014. A critical vulnerabilities (CVE-2022-22972 and CVE-2022-22973) were discovered for:
- VMware Workspace ONE Access (Access) 20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0
- VMware Identity Manager (vIDM) 3.3.6, 3.3.5, 3.3.4, 3.3.3
- VMware vRealize Automation (vRA) 7.6
The angle of the attack is a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
In addition to the products listed above, VMware adds:
- VMware Cloud Foundation 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x
- vRealize Suite Lifecycle Manager 8.x
as they include instances of VMware Identity Manager or VMware vRealize Automation.
These vulnerabilities are an authentication bypass and a privilege escalation. An authentication bypass means that an attacker with network access to Workspace ONE Access, VMware Identity Manager, and vRealize Automation can obtain administrator access. Privilege escalation means that an attacker with local access can become root on the virtual appliance. It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments. If your organization uses ITIL methodologies for change management, this would be considered an “emergency” change. Information on patches and workarounds can be found in the VMware Security Advisory
Response Matrix
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22972 | 9.8 | Critical | KB88438 | KB88433 | FAQ |
Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22973 | 7.8 | Important | KB88438 | None | FAQ |
Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22972 | 9.8 | Critical | KB88438 | KB88433 | FAQ |
Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22973 | 7.8 | Important | KB88438 | None | FAQ |
vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22972 | 9.8 | Critical | KB88438 | KB88433 | FAQ |
vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22973 | 7.8 | Important | KB88438 | None | FAQ |
vRealize Automation [1] | 8.x | Linux | CVE-2022-22972, CVE-2022-22973 | N/A | N/A | Unaffected | N/A | N/A |
vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-22972 | 9.8 | Critical | KB88438 | KB88433 | FAQ |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22973 | N/A | N/A | Unaffected | N/A |
Impacted Product Suites that Deploy Response Matrix Components:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Cloud Foundation (vIDM) | 4.3.x, 4.2.x, 4.1, 4.0.x | Any | CVE-2022-22972 | 9.8 | Critical | KB88438 | KB88433 | FAQ |
VMware Cloud Foundation (vIDM) | 4.3.x, 4.2.x, 4.1, 4.0.x | Any | CVE-2022-22973 | 7.8 | Important | KB88438 | None | FAQ |
VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-22972 | 9.8 | Critical | KB88438 | KB88433 | FAQ |
vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-22972 | 9.8 | Critical | KB88438 | KB88433 | FAQ |
vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-22973 | 7.8 | Important | KB88438 | None | FAQ |
References
Fixed Version(s): https://kb.vmware.com/s/article/88438
Workarounds: https://kb.vmware.com/s/article/88433
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22973
FIRST CVSSv3 Calculator:
CVE-2022-22972: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22973: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Frequently Asked Questions about VMSA-2022-0014 can be found at:
https://via.vmw.com/vmsa-2022-0014-qna
Please like and share to spread the knowledge in the community.
Subscribe to my channel : https://bit.ly/3vY16CT
If you want to chat with me please use Twitter: @AngrySysOps
Join my VMware Knowledge Base Group: https://bit.ly/3w54tbc
Visit my FB page: https://www.facebook.com/AngrySysOps
Read my blog: https://angrysysops.com
Subscribe to my channel : https://bit.ly/3vY16CT