Support Content Notification - Support Portal

VMSA-2022-0032:VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities

Product/Component

VMware

1 more products

Notification Id

23652

Last Updated

11 December 2022

Initial Publication Date

11 December 2022

Status

CLOSED

Severity

HIGH

CVSS Base Score

5.3-7.2

WorkAround

Affected CVE

CVE-2022-31700,CVE-2022-31701

Advisory ID: VMSA-2022-0032

CVSSv3 Range: 5.3-7.2

Issue Date:2022-12-13

Updated On: 2022-12-13 (Initial Advisory)

CVE(s): CVE-2022-31700, CVE-2022-31701

Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701).

1. Impacted Products

VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3a. Authenticated Remote Code Execution Vulnerability (CVE-2022-31700)

Description

VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system.

Resolution

To remediate CVE-2022-31700, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Steven Seeley of Source Incite for reporting this issue to us.

3b. Broken Authentication Vulnerability (CVE-2022-31701)

Description

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access may be able to obtain system information due to an unauthenticated endpoint. Successful exploitation of this issue can lead to targeting victims.

Resolution

To remediate CVE-2022-31701 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Kyung Yoon for reporting this issue to us.

Notes

None.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Access	22.09.0.0	Linux	CVE-2022-31700	N/A	N/A	Unaffected	N/A	N/A
Access	22.09.0.0	Linux	CVE-2022-31701	5.3	moderate	22.09.1.0	None	None
Access	21.08.0.1, 21.08.0.0	Linux	CVE-2022-31700	7.2	important	KB90399	None	None
Access	21.08.0.1, 21.08.0.0	Linux	CVE-2022-31701	5.3	moderate	KB90399	None	None
Access Connector	All	Windows	CVE-2022-31700, CVE-2022-31701	N/A	N/A	Unaffected	N/A	N/A
vIDM	3.3.6	Linux	CVE-2022-31700	7.2	important	KB90399	None	None
vIDM	3.3.6	Linux	CVE-2022-31701	5.3	moderate	KB90399	None	None
vIDM Connector	All	Windows	CVE-2022-31700, CVE-2022-31701	N/A	N/A	Unaffected	N/A	N/A
VMware Cloud Foundation (vIDM)	Any	Any	CVE-2022-31700, CVE-2022-31701	7.2	important	KB90384	N/A	N/A