VMSA-2022-0021:VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities
23637
07 August 2022
31 July 2022
CLOSED
CRITICAL
4.7-9.8
CVE-2022-31656,CVE-2022-31657,CVE-2022-31658,CVE-2022-31659,CVE-2022-31660,CVE-2022-31661,CVE-2022-31662,CVE-2022-31663,CVE-2022-31664,CVE-2022-31665
1. Impacted Products
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.
3a. Authentication Bypass Vulnerability (CVE-2022-31656)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Resolution
To remediate CVE-2022-31656, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-31656 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
VMware has confirmed malicious code that can exploit CVE-2022-31656 in impacted products is publicly available.
Acknowledgements
VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.
3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
Known Attack Vectors
A malicious actor with administrator and network access can trigger a remote code execution.
Resolution
To remediate CVE-2022-31658, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
None.
Acknowledgements
VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.
3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659)
Description
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0.
Known Attack Vectors
A malicious actor with administrator and network access can trigger a remote code execution.
Resolution
To remediate CVE-2022-31659, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
VMware has confirmed malicious code that can exploit CVE-2022-31659 in impacted products is publicly available.
Acknowledgements
VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.
3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Known Attack Vectors
A malicious actor with local access can escalate privileges to 'root'.
Resolution
To remediate CVE-2022-31660 and CVE-2022-31661 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
None.
Acknowledgements
VMware would like to thank Spencer McIntyre of Rapid7 for reporting these issues to us.
3e. Local Privilege Escalation Vulnerability (CVE-2022-31664)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Known Attack Vectors
A malicious actor with local access can escalate privileges to 'root'.
Resolution
To remediate CVE-2022-31664, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.
3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6.
Known Attack Vectors
A malicious actor with administrator and network access can trigger a remote code execution.
Resolution
To remediate CVE-2022-31665, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.
3g. URL Injection Vulnerability (CVE-2022-31657)
Description
VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.
Known Attack Vectors
A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain.
Resolution
To remediate CVE-2022-31657, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
None.
Acknowledgements
VMware would like to thank Tom Tervoort of Secura for reporting this issue to us.
3h. Path traversal vulnerability (CVE-2022-31662)
Description
VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors
A malicious actor with network access may be able to access arbitrary files.
Resolution
To remediate CVE-2022-31662, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
None.
Acknowledgements
VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.
3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.
Known Attack Vectors
Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window.
Resolution
To remediate CVE-2022-31663, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq
Notes
None.
Acknowledgements
VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us.
Response Matrix - Access 21.08.x
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31656 | 9.8 | critical | |||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31658 | 8.0 | important | None | ||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31659 | 8.0 | important | None | ||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31660, CVE-2022-31661 | 7.8 | important | None | ||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31664 | 7.8 | important | None | ||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31665 | 7.6 | important | None | ||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31657 | 5.9 | moderate | None | ||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31662 | 5.3 | moderate | None | ||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-31663 | 4.7 | moderate | None |
Response Matrix - Identity Manager 3.3.x
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31656 | 9.8 | critical | |||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31658 | 8.0 | important | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31659 | 8.0 | important | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31660, CVE-2022-31661 | 7.8 | important | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31664 | 7.8 | important | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31665 | 7.6 | important | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31657 | 5.9 | moderate | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31662 | 5.3 | moderate | None | ||
| vIDM | 3.3.6, 3.3.5, 3.3.4 | Linux | CVE-2022-31663 | 4.7 | moderate | None |
Response Matrix - Connectors
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Access Connector | 22.05 | Windows | CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 | N/A | N/A | Unaffected | N/A | N/A |
| Access Connector | 21.08.0.1, 21.08.0.0 | Windows | CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 | N/A | N/A | Unaffected | N/A | N/A |
| vIDM Connector | 3.3.6, 3.3.5, 3.3.4 | Windows | CVE-2022-31662 | 5.3 | moderate | None | ||
| vIDM Connector | 3.3.6, 3.3.5, 3.3.4 | Windows | CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 | N/A | N/A | Unaffected | N/A | N/A |
| vIDM Connector | 19.03.0.1 | Windows | CVE-2022-31662 | 5.3 | moderate | None | ||
| vIDM Connector | 19.03.0.1 | Windows | CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 | N/A | N/A | Unaffected | N/A | N/A |
Response Matrix - vRealize Automation (vIDM)
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vRealize Automation [1] | 8.x | Linux | CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 | N/A | N/A | Unaffected | N/A | N/A |
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31656 | 9.8 | critical | |||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31658 | 8.0 | important | None | ||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31659 | 8.0 | important | None | ||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31660, CVE-2022-31661 | 7.8 | important | None | ||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31664 | 7.8 | important | None | ||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31665 | 7.6 | important | None | ||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31657 | 5.9 | moderate | None | ||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31662 | 5.3 | moderate | None | ||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-31663 | 4.7 | moderate | None |
[1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[2] vRealize Automation 7.6 is affected since it uses embedded vIDM.
Impacted Product Suites that Deploy vIDM
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Foundation (vIDM) | 4.4.x, 4.3.x, 4.2.x | Any | CVE-2022-31656 | 9.8 | critical | |||
| VMware Cloud Foundation (vIDM) | 4.4.x, 4.3.x, 4.2.x | Any | CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663 | 8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7 | important | None | ||
| vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-31656 | 9.8 | critical | |||
| vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663 | 8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7 | important | None |
Impacted Product Suites that Deploy vRA
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-31656 | 9.8 | critical | |||
| VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-31658, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31662, CVE-2022-31663 | 8.0, 7.8, 7.8, 7.8, 7.6, 5.3, 4.7 | important | None | ||
| VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-31659 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-31657 | N/A | N/A | Unaffected | N/A | N/A |
4. References
Fixed Version(s): https://kb.vmware.com/s/article/89096
Workarounds: https://kb.vmware.com/s/article/89084
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31657
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31663
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665
FIRST CVSSv3 Calculator:
CVE-2022-31656: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31657: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
CVE-2022-31658: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-31659: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-31660: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31661: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31662: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2022-31663: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CVE-2022-31664: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31665: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N
5. Change Log
2022-08-02: VMSA-2022-0021
Initial security advisory.
2022-08-09: VMSA-2022-0021.1
Updated advisory with information that VMware has confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.