VMSA-2022-0011:VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities
23639
11 April 2022
04 April 2022
CLOSED
CRITICAL
5.3-9.8
CVE-2022-22954,CVE-2022-22955,CVE-2022-22956,CVE-2022-22957,CVE-2022-22958,CVE-2022-22959,CVE-2022-22960,CVE-2022-22961
1. Impacted Products
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products.
3a. Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954)
Description
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
Resolution
To remediate CVE-2022-22954, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22954 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna
Notes
VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.
3b. OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956)
Description
VMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 ACS framework. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
Resolution
To remediate CVE-2022-22955 and CVE-2022-22956, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22955 and CVE-2022-22956 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna
Notes
These issues only impact Workspace ONE Access.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.
3c. JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
Known Attack Vectors
A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.
Resolution
To remediate CVE-2022-22957 and CVE-2022-22958, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22957 and CVE-2022-22958 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.
3d. Cross Site Request Forgery Vulnerability (CVE-2022-22959)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
Known Attack Vectors
A malicious actor can trick a user through a cross site request forgery to unintentionally validate a malicious JDBC URI.
Resolution
To remediate CVE-2022-22959, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22959 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.
3e. Local Privilege Escalation Vulnerability (CVE-2022-22960)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.
Known Attack Vectors
A malicious actor with local access can escalate privileges to 'root'.
Resolution
To remediate CVE-2022-22960, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22960 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna
Notes
VMware has confirmed that exploitation of CVE-2022-22960 has occurred in the wild.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.
3f. Information Disclosure Vulnerability (CVE-2022-22961)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors
A malicious actor with remote access may leak the hostname of the target system. Successful exploitation of this issue can lead to targeting victims.
Resolution
To remediate CVE-2022-22961, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22961 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0011-qna
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting these issues to us.
Response Matrix - Access 21.08.x:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22954 | 9.8 | critical | |||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22955, CVE-2022-22956 | 9.8 | critical | |||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22957, CVE-2022-22958 | 9.1 | critical | |||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22959 | 8.8 | important | |||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22960 | 7.8 | important | |||
| Access | 21.08.0.1, 21.08.0.0 | Linux | CVE-2022-22961 | 5.3 | moderate | None |
Response Matrix - Access 20.10.x:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22954 | 9.8 | critical | |||
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22955, CVE-2022-22956 | 9.8 | critical | |||
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22957, CVE-2022-22958 | 9.1 | critical | |||
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22959 | 8.8 | important | |||
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22960 | 7.8 | important | |||
| Access | 20.10.0.1, 20.10.0.0 | Linux | CVE-2022-22961 | 5.3 | moderate | None |
Response Matrix - Identity Manager 3.3.x:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22954 | 9.8 | critical | |||
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22955, CVE-2022-22956 | N/A | N/A | Unaffected | N/A | N/A |
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22957, CVE-2022-22958 | 9.1 | critical | |||
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22959 | 8.8 | important | |||
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22960 | 7.8 | important | |||
| vIDM | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22961 | 5.3 | moderate | None |
Response Matrix - vRealize Automation (vIDM):
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vRealize Automation [1] | 8.x | Linux | CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 | N/A | N/A | Unaffected | N/A | N/A |
| vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22954 | N/A | N/A | Unaffected | N/A | N/A |
| vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22955, CVE-2022-22956 | N/A | N/A | Unaffected | N/A | N/A |
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-22957, CVE-2022-22958 | 9.1 | critical | |||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-22959 | 8.8 | important | |||
| vRealize Automation (vIDM) [2] | 7.6 | Linux | CVE-2022-22960 | 7.8 | important | |||
| vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22961 | N/A | N/A | Unaffected | N/A | N/A |
[1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[2] vRealize Automation 7.6 is affected since it uses embedded vIDM.
Impacted Product Suites that Deploy Response Matrix Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Foundation (vIDM) | 4.x | Any | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 | 9.8, 9.1, 9.1, 8.8, 7.8, 5.3 | critical | |||
| VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 | 9.1, 9.1, 8.8, 7.8 | critical | |||
| vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 | 9.8, 9.1, 9.1, 8.8, 7.8, 5.3 | critical |
4. References
Fixed Version(s): https://kb.vmware.com/s/article/88099
Workarounds: https://kb.vmware.com/s/article/88098
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22955
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22961
FIRST CVSSv3 Calculator:
CVE-2022-22954: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22955: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22956: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22957: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-22958: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-22959: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-22960: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22961: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5. Change Log
2022-04-06: VMSA-2022-0011
Initial security advisory.
2022-04-13: VMSA-2022-0011.1
VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.