VMSA-2022-0014:VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities
23630
25 May 2022
16 May 2022
CLOSED
CRITICAL
7.8-9.8
CVE-2022-22972,CVE-2022-22973
1. Impacted Products
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.
3a. Authentication Bypass Vulnerability (CVE-2022-22972)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Resolution
To remediate CVE-2022-22972, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22972 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0014-qna
Notes
05/26: VMware has confirmed malicious code that can exploit CVE-2022-22972 in impacted products is publicly available.
Acknowledgements
VMware would like to thank Bruno López of Innotec Security for reporting this vulnerability to us.
3b. Local Privilege Escalation Vulnerability (CVE-2022-22973)
Description
VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Known Attack Vectors
A malicious actor with local access can escalate privileges to 'root'.
Resolution
To remediate CVE-2022-22973 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0014-qna
Notes
None.
Acknowledgements
VMware would like to thank Kai Zhao of ToTU Security Team and Steven Yu for independently reporting this issue to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22972 | 9.8 | critical | |||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22973 | 7.8 | important | None | ||
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22972 | 9.8 | critical | |||
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22973 | 7.8 | important | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22972 | 9.8 | critical | |||
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22973 | 7.8 | important | None | ||
| vRealize Automation [1] | 8.x | Linux | CVE-2022-22972, CVE-2022-22973 | N/A | N/A | Unaffected | N/A | N/A |
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-22972 | 9.8 | critical | |||
| vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22973 | N/A | N/A | Unaffected | N/A | N/A |
[1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[2] vRealize Automation 7.6 is affected since it uses embedded vIDM.
Impacted Product Suites that Deploy Response Matrix Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Foundation (vIDM) | 4.4, 4.3.x, 4.2.x, 4.1, 4.0.x | Any | CVE-2022-22972 | 9.8 | critical | |||
| VMware Cloud Foundation (vIDM) | 4.4, 4.3.x, 4.2.x, 4.1, 4.0.x | Any | CVE-2022-22973 | 7.8 | important | None | ||
| VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-22972 | 9.8 | critical | |||
| vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-22972 | 9.8 | critical | |||
| vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-22973 | 7.8 | important | None |
4. References
Fixed Version(s): https://kb.vmware.com/s/article/88438
Workarounds: https://kb.vmware.com/s/article/88433
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22973
FIRST CVSSv3 Calculator:
CVE-2022-22972: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22973: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2022-05-18: VMSA-2022-0014
Initial security advisory.
2022-05-27: VMSA-2022-0014.1
05/26: Updated advisory with information that VMware has confirmed malicious code that can exploit CVE-2022-22972 in impacted products is publicly available.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.