===================================================================                               CERT-Renater

                     Note d'Information No. 2021/VULN127
_____________________________________________________________________

DATE                : 24/03/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Carbon Black App Control
                 (AppC) versions prior to 8.8.2, 8.7.4, 8.6.6, 8.5.14.

====================================================================https://www.vmware.com/security/advisories/VMSA-2022-0008.html
_____________________________________________________________________

Critical

  Advisory ID:   VMSA-2022-0008
CVSSv3 Range:  9.1
Issue Date:    2022-03-23
Updated On:    2022-03-23 (Initial Advisory)
CVE(s):        CVE-2022-22951, CVE-2022-22952

Synopsis:
VMware Carbon Black App Control update addresses multiple 
vulnerabilities (CVE-2022-22951, CVE-2022-22952)



1. Impacted Products

VMware Carbon Black App Control (AppC)


2. Introduction

Multiple vulnerabilities in VMware Carbon Black App Control were 
privately reported to VMware. Updates are available to remediate these 
vulnerabilities in affected VMware products.

3a. OS command injection vulnerability in VMware Carbon Black App 
Control (CVE-2022-22951)


Description

VMware Carbon Black App Control contains an OS command injection 
vulnerability. VMware has evaluated the severity of this issue to be in 
the Critical severity range with a maximum CVSSv3 base score of 9.1.


Known Attack Vectors

An authenticated, high privileged malicious actor with network access to 
the VMware App Control administration interface may be able to execute 
commands on the server due to improper input validation leading to 
remote code execution.


Resolution

To remediate CVE-2022-22951 apply the patches listed in the 'Fixed 
Version' column of the 'Response Matrix' found below.


Workarounds

None.


Additional Documentation

None.


Notes

Before using the download links make sure to log into the Carbon Black 
User Exchange (UEX).


Acknowledgements

VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this 
issue to us.

3b. File upload vulnerability in VMware Carbon Black App Control 
(CVE-2022-22952)

Description

VMware Carbon Black App Control contains a file upload vulnerability.
  VMware has evaluated the severity of this issue to be in the Critical 
severity range with a maximum CVSSv3 base score of 9.1.

Known Attack Vectors

A malicious actor with administrative access to the VMware App Control 
administration interface may be able to execute code on the Windows 
instance where AppC Server is installed by uploading a specially crafted 
file.

Resolution

To remediate CVE-2022-22952 apply the patches listed in the 'Fixed 
Version' column of the 'Response Matrix' found below.

Workarounds

None.


Additional Documentation

None.


Notes

Before using the download links make sure to log into the Carbon Black 
User Exchange (UEX).

Acknowledgements

VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this 
issue to us.

Response Matrix 3a, 3b

Product  Version  Running On  CVE Identifier  CVSSv3  Severity  Fixed 
Version  Workarounds  Additional Documentation

AppC  8.8.x  Windows  CVE-2022-22951, CVE-2022-22952
9.1  Critical   8.8.2  None  None

AppC  8.7.x  Windows  CVE-2022-22951, CVE-2022-22952
9.1  Critical   8.7.4  None  None

AppC  8.6.x  Windows  CVE-2022-22951, CVE-2022-22952
9.1  Critical  8.6.6  None  None

AppC  8.5.x  Windows  CVE-2022-22951, CVE-2022-22952
9.1  Critical  8.5.14  None  None


4. References

Fixed Version(s) and Release Notes:

VMware Carbon Black App Control 8.8.2, 8.7.4, 8.6.6, 8.5.14

Downloads and Documentation:

https://community.carbonblack.com/t5/Documentation-Downloads/Critical-App-Control-Server-Patch-Announcement-3-23-22/ta-p/111804#M3557

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22952


FIRST CVSSv3 Calculator:
CVE-2022-22951: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-22952: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H


5. Change Log

2022-03-23 VMSA-2022-0008
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com  bugtraq@securityfocus.com 
fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC


Copyright 2022 VMware Inc. All rights reserved.



========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================