=================================================================== CERT-Renater Note d'Information No. 2022/VULN262 _____________________________________________________________________ DATE : 03/08/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation ====================================================================https://www.vmware.com/security/advisories/VMSA-2022-0021.html _____________________________________________________________________ Critical Advisory ID: VMSA-2022-0021 CVSSv3 Range: 4.7-9.8 Issue Date: 2022-08-02 Updated On: 2022-08-02 (Initial Advisory) CVE(s): CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 Synopsis: VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities. 1. Impacted Products • VMware Workspace ONE Access (Access) • VMware Workspace ONE Access Connector (Access Connector) • VMware Identity Manager (vIDM) • VMware Identity Manager Connector (vIDM Connector) • VMware vRealize Automation (vRA) • VMware Cloud Foundation • vRealize Suite Lifecycle Manager 2. Introduction Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products. 3a. Authentication Bypass Vulnerability (CVE-2022-31656) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Known Attack Vectors A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Resolution To remediate CVE-2022-31656, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-31656 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. Known Attack Vectors A malicious actor with administrator and network access can trigger a remote code execution. Resolution To remediate CVE-2022-31658, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) Description VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. Known Attack Vectors A malicious actor with administrator and network access can trigger a remote code execution. Resolution To remediate CVE-2022-31659, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Known Attack Vectors A malicious actor with local access can escalate privileges to 'root'. Resolution To remediate CVE-2022-31660 and CVE-2022-31661 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Spencer McIntyre of Rapid7 for reporting these issues to us. 3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Known Attack Vectors A malicious actor with local access can escalate privileges to 'root'. Resolution To remediate CVE-2022-31664, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us. 3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. Known Attack Vectors A malicious actor with administrator and network access can trigger a remote code execution. Resolution To remediate CVE-2022-31665, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us. 3g. URL Injection Vulnerability (CVE-2022-31657) Description VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. Known Attack Vectors A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain. Resolution To remediate CVE-2022-31657, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank Tom Tervoort of Secura for reporting this issue to us. 3h. Path traversal vulnerability (CVE-2022-31662) Description VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors A malicious actor with network access may be able to access arbitrary files. Resolution To remediate CVE-2022-31662, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. 3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7. Known Attack Vectors Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window. Resolution To remediate CVE-2022-31663, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0021-questions-answers-faq Notes None. Acknowledgements VMware would like to thank PetrusViet (a member of VNG Security) for reporting this issue to us. Response Matrix - Access 21.08.x Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31658 8.0 important KB89096 None FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31659 8.0 important KB89096 None FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31660, CVE-2022-31661 7.8 important KB89096 None FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31664 7.8 important KB89096 None FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31665 7.6 important KB89096 None FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31657 5.9 moderate KB89096 None FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31662 5.3 moderate KB89096 None FAQ Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31663 4.7 moderate KB89096 None FAQ Response Matrix - Identity Manager 3.3.x Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31658 8.0 important KB89096 None FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31659 8.0 important KB89096 None FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31660, CVE-2022-31661 7.8 important KB89096 None FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31664 7.8 important KB89096 None FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31665 7.6 important KB89096 None FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31657 5.9 moderate KB89096 None FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31662 5.3 moderate KB89096 None FAQ vIDM 3.3.6, 3.3.5, 3.3.4 Linux CVE-2022-31663 4.7 moderate KB89096 None FAQ Response Matrix - Connectors Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Access Connector 22.05 Windows CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 N/A N/A Unaffected N/A N/A Access Connector 21.08.0.1, 21.08.0.0 Windows CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 N/A N/A Unaffected N/A N/A vIDM Connector 3.3.6, 3.3.5, 3.3.4 Windows CVE-2022-31662 5.3 moderate KB89096 None FAQ vIDM Connector 3.3.6, 3.3.5, 3.3.4 Windows CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 N/A N/A Unaffected N/A N/A vIDM Connector 19.03.0.1 Windows CVE-2022-31662 5.3 moderate KB89096 None FAQ vIDM Connector 19.03.0.1 Windows CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 N/A N/A Unaffected N/A N/A Response Matrix - vRealize Automation (vIDM) Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation vRealize Automation [1] 8.x Linux CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665 N/A N/A Unaffected N/A N/A vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31658 8.0 important KB89096 None FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31659 8.0 important KB89096 None FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31660, CVE-2022-31661 7.8 important KB89096 None FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31664 7.8 important KB89096 None FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31665 7.6 important KB89096 None FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31657 5.9 moderate KB89096 None FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31662 5.3 moderate KB89096 None FAQ vRealize Automation (vIDM) [2] 7.6 Linux CVE-2022-31663 4.7 moderate KB89096 None FAQ [1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM. [2] vRealize Automation 7.6 is affected since it uses embedded vIDM. Impacted Product Suites that Deploy vIDM Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Cloud Foundation (vIDM) 4.4.x, 4.3.x, 4.2.x Any CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ VMware Cloud Foundation (vIDM) 4.4.x, 4.3.x, 4.2.x Any CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663 8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7 important KB89096 None FAQ vRealize Suite Lifecycle Manager (vIDM) 8.x Any CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ vRealize Suite Lifecycle Manager (vIDM) 8.x Any CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663 8.0, 8.0, 7.8, 7.8, 7.8, 7.6, 5.9, 5.3, 4.7 important KB89096 None FAQ Impacted Product Suites that Deploy vRA Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Cloud Foundation (vRA) 3.x Any CVE-2022-31656 9.8 critical KB89096 KB89084 FAQ VMware Cloud Foundation (vRA) 3.x Any CVE-2022-31658, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31662, CVE-2022-31663 8.0, 7.8, 7.8, 7.8, 7.6, 5.3, 4.7 important KB89096 None FAQ VMware Cloud Foundation (vRA) 3.x Any CVE-2022-31659 N/A N/A Unaffected N/A N/A VMware Cloud Foundation (vRA) 3.x Any CVE-2022-31657 N/A N/A Unaffected N/A N/A 4. References Fixed Version(s): https://kb.vmware.com/s/article/89096 Workarounds: https://kb.vmware.com/s/article/89084 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31657 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31662 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31663 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665 FIRST CVSSv3 Calculator: CVE-2022-31656: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-31657: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N CVE-2022-31658: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2022-31659: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2022-31660: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-31661: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-31662: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2022-31663: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2022-31664: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-31665: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N 5. Change Log 2022-08-02: VMSA-2022-0021 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2022 VMware Inc. All rights reserved. ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + ======================================================= --------------ocKBkgkYVshXW6esKq6pBAd6--