VMSA-2022-0032:VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities

VMware Tanzu Application Service

0 more products

23652

11 December 2022

11 December 2022

CLOSED

HIGH

5.3-7.2

CVE-2022-31700,CVE-2022-31701

VMSA-2022-0032
5.3-7.2
2022-12-13
2022-12-13 (Initial Advisory)
CVE-2022-31700, CVE-2022-31701
VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701).
1. Impacted Products

 

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware Cloud Foundation (Cloud Foundation)

 

2. Introduction

Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3a. Authenticated Remote Code Execution Vulnerability (CVE-2022-31700)

Description

VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

Known Attack Vectors

A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system.

Resolution

To remediate CVE-2022-31700, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Steven Seeley of Source Incite for reporting this issue to us.

3b. Broken Authentication Vulnerability (CVE-2022-31701)

Description

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access may be able to obtain system information due to an unauthenticated endpoint. Successful exploitation of this issue can lead to targeting victims.

Resolution

To remediate CVE-2022-31701 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Kyung Yoon for reporting this issue to us.

Notes

None.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Access
22.09.0.0
Linux
CVE-2022-31700
N/A
N/A
Unaffected
N/A
N/A
Access
22.09.0.0
Linux
CVE-2022-31701
moderate
None
None
Access
21.08.0.1, 21.08.0.0
Linux
CVE-2022-31700
important
None
None
Access
21.08.0.1, 21.08.0.0
Linux
CVE-2022-31701
moderate
None
None
Access Connector
All
Windows
CVE-2022-31700, CVE-2022-31701
N/A
N/A
Unaffected
N/A
N/A
vIDM
3.3.6
Linux
CVE-2022-31700
important
None
None
vIDM
3.3.6
Linux
CVE-2022-31701
moderate
None
None
vIDM Connector
All
Windows
CVE-2022-31700, CVE-2022-31701
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vIDM)
Any
Any
CVE-2022-31700, CVE-2022-31701
important
N/A
N/A
4. References
5. Change Log

2022-12-13 VMSA-2022-0032
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

[email protected]  

[email protected]  

[email protected] 

 

E-mail: [email protected]

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2022 VMware Inc. All rights reserved.