===================================================================== CERT-Renater Note d'Information No. 2022/VULN469 _____________________________________________________________________ DATE : 16/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware Cloud Foundation (Cloud Foundation). ===================================================================== https://www.vmware.com/security/advisories/VMSA-2022-0032.html _____________________________________________________________________ Important Advisory ID: VMSA-2022-0032 CVSSv3 Range: 5.3-7.2 Issue Date: 2022-12-13 Updated On: 2022-12-13 (Initial Advisory) CVE(s): CVE-2022-31700, CVE-2022-31701 Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701). 1. Impacted Products VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware Cloud Foundation (Cloud Foundation) 2. Introduction Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. 3a. Authenticated Remote Code Execution Vulnerability (CVE-2022-31700) Description VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. Known Attack Vectors A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system. Resolution To remediate CVE-2022-31700, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Steven Seeley of Source Incite for reporting this issue to us. 3b. Broken Authentication Vulnerability (CVE-2022-31701) Description VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors A malicious actor with network access may be able to obtain system information due to an unauthenticated endpoint. Successful exploitation of this issue can lead to targeting victims. Resolution To remediate CVE-2022-31701 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation None. Acknowledgements VMware would like to thank Kyung Yoon for reporting this issue to us. Notes None. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation Access 22.09.0.0 Linux CVE-2022-31700 N/A N/A Unaffected N/A N/A Access 22.09.0.0 Linux CVE-2022-31701 5.3 moderate 22.09.1.0 None None Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31700 7.2 important KB90399 None None Access 21.08.0.1, 21.08.0.0 Linux CVE-2022-31701 5.3 moderate KB90399 None None Access Connector All Windows CVE-2022-31700, CVE-2022-31701 N/A N/A Unaffected N/A N/A vIDM 3.3.6 Linux CVE-2022-31700 7.2 important KB90399 None None vIDM 3.3.6 Linux CVE-2022-31701 5.3 moderate KB90399 None None vIDM Connector All Windows CVE-2022-31700, CVE-2022-31701 N/A N/A Unaffected N/A N/A VMware Cloud Foundation (vIDM) Any Any CVE-2022-31700, CVE-2022-31701 7.2 important KB90384 N/A N/A 4. References Fixed Version(s): VMware Workspace ONE Access 22.09.1.0 Release Notes: https://docs.vmware.com/en/VMware-Workspace-ONE-Access/22.09.1.0/rn/vmware-workspace-one-access-220910-release-notes/index.html KB90399: https://kb.vmware.com/s/article/90399 VMware Cloud Foundation (vIDM) KB90384: https://kb.vmware.com/s/article/90384 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31700 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31701 FIRST CVSSv3 Calculator: CVE-2022-31700: 7.2 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-31701: 5.3 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5. Change Log 2022-12-13 VMSA-2022-0032 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2022 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================