Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1488.2
Critical Severity - VMSA-2022-0011 - VMware Workspace ONE Access, Identity
Manager and vRealize Automation updates address multiple vulnerabilities
14 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware vRealize Automation (vRA)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager
Publisher: VMware
Operating System: Virtualisation
Linux variants
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-22961 CVE-2022-22960 CVE-2022-22959
CVE-2022-22958 CVE-2022-22957 CVE-2022-22956
CVE-2022-22955 CVE-2022-22954
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
Comment: CVSS (Max): 9.8 CVE-2022-22954 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: VMware
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Revision History: April 14 2022: VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild
April 7 2022: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Critical
Advisory ID: VMSA-2022-0011.1
CVSSv3 Range: 5.3-9.8
Issue Date: 2022-04-06
Updated On: 2022-04-13
CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957,
CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961
Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize
Automation updates address multiple vulnerabilities.
1. Impacted Products
o VMware Workspace ONE Access (Access)
o VMware Identity Manager (vIDM)
o VMware vRealize Automation (vRA)
o VMware Cloud Foundation
o vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities were privately reported to VMware. Patches are
available to remediate these vulnerabilities in affected VMware products.
3a. Server-side Template Injection Remote Code Execution Vulnerability
(CVE-2022-22954)
Description
VMware Workspace ONE Access and Identity Manager contain a remote code
execution vulnerability due to server-side template injection. VMware has
evaluated the severity of this issue to be in the Critical severity range with
a maximum CVSSv3 base score of 9.8 .
Known Attack Vectors
A malicious actor with network access can trigger a server-side template
injection that may result in remote code execution.
Resolution
To remediate CVE-2022-22954, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22954 have been documented in the VMware Knowledge
Base articles listed in the 'Workarounds' column of the 'Response Matrix'
below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0011-qna
Notes
VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the
wild.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability
Research Institute for reporting these issues to us.
3b. OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955,
CVE-2022-22956)
Description
VMware Workspace ONE Access has two authentication bypass vulnerabilities in
the OAuth2 ACS framework. VMware has evaluated the severity of these issues to
be in the Critical severity range with a maximum CVSSv3 base score of 9.8 .
Known Attack Vectors
A malicious actor may bypass the authentication mechanism and execute any
operation due to exposed endpoints in the authentication framework.
Resolution
To remediate CVE-2022-22955 and CVE-2022-22956, apply the patches listed in
the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22955 and CVE-2022-22956 have been documented in the
VMware Knowledge Base articles listed in the 'Workarounds' column of the
'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0011-qna
Notes
These issues only impact Workspace ONE Access.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability
Research Institute for reporting these issues to us.
3c. JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957,
CVE-2022-22958)
Description
VMware Workspace ONE Access, Identity Manager and vRealize
Automation contain two remote code execution vulnerabilities. VMware has
evaluated the severity of these issues to be in the Critical severity range
with a maximum CVSSv3 base score of 9.1 .
Known Attack Vectors
A malicious actor with administrative access can trigger deserialization of
untrusted data through malicious JDBC URI which may result in remote code
execution.
Resolution
To remediate CVE-2022-22957 and CVE-2022-22958, apply the patches listed in
the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22957 and CVE-2022-22958 have been documented in the
VMware Knowledge Base articles listed in the 'Workarounds' column of the
'Response Matrix' below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0011-qna
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability
Research Institute for reporting these issues to us.
3d. Cross Site Request Forgery Vulnerability (CVE-2022-22959)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain
a cross site request forgery vulnerability. VMware has evaluated the severity
of this issue to be in the Important severity range with a maximum CVSSv3 base
score of 8.8 .
Known Attack Vectors
A malicious actor can trick a user through a cross site request forgery to
unintentionally validate a malicious JDBC URI.
Resolution
To remediate CVE-2022-22959, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22959 have been documented in the VMware Knowledge
Base articles listed in the 'Workarounds' column of the 'Response Matrix'
below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0011-qna
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability
Research Institute for reporting these issues to us.
3e. Local Privilege Escalation Vulnerability (CVE-2022-22960)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain
a privilege escalation vulnerability due to improper permissions in support
scripts. VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of 7.8 .
Known Attack Vectors
A malicious actor with local access can escalate privileges to 'root'.
Resolution
To remediate CVE-2022-22960, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22960 have been documented in the VMware Knowledge
Base articles listed in the 'Workarounds' column of the 'Response Matrix'
below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0011-qna
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability
Research Institute for reporting these issues to us.
3f. Information Disclosure Vulnerability (CVE-2022-22961)
Description
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain
an information disclosure vulnerability due to returning excess information.
VMware has evaluated the severity of this issue to be in the Moderate severity
range with a maximum CVSSv3 base score of 5.3 .
Known Attack Vectors
A malicious actor with remote access may leak the hostname of the target
system. Successful exploitation of this issue can lead to targeting victims.
Resolution
To remediate CVE-2022-22961, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.
Workarounds
Workarounds for CVE-2022-22961 have been documented in the VMware Knowledge
Base articles listed in the 'Workarounds' column of the 'Response Matrix'
below.
Additional Documentation
A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0011-qna
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability
Research Institute for reporting these issues to us.
Response Matrix - Access 21.08.x:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Access 21.08.0.1, Linux CVE-2022-22954 9.8 critical KB88099 KB88098 FAQ
21.08.0.0
Access 21.08.0.1, Linux CVE-2022-22955, 9.8 critical KB88099 KB88098 FAQ
21.08.0.0 CVE-2022-22956
Access 21.08.0.1, Linux CVE-2022-22957, 9.1 critical KB88099 KB88098 FAQ
21.08.0.0 CVE-2022-22958
Access 21.08.0.1, Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ
21.08.0.0
Access 21.08.0.1, Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ
21.08.0.0
Access 21.08.0.1, Linux CVE-2022-22961 5.3 moderate KB88099 None FAQ
21.08.0.0
Response Matrix - Access 20.10.x:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
Access 20.10.0.1, Linux CVE-2022-22954 9.8 critical KB88099 KB88098 FAQ
20.10.0.0
Access 20.10.0.1, Linux CVE-2022-22955, 9.8 critical KB88099 KB88098 FAQ
20.10.0.0 CVE-2022-22956
Access 20.10.0.1, Linux CVE-2022-22957, 9.1 critical KB88099 KB88098 FAQ
20.10.0.0 CVE-2022-22958
Access 20.10.0.1, Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ
20.10.0.0
Access 20.10.0.1, Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ
20.10.0.0
Access 20.10.0.1, Linux CVE-2022-22961 5.3 moderate KB88099 None FAQ
20.10.0.0
Response Matrix - Identity Manager 3.3.x:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
3.3.6,
vIDM 3.3.5, Linux CVE-2022-22954 9.8 critical KB88099 KB88098 FAQ
3.3.4,
3.3.3
3.3.6,
vIDM 3.3.5, Linux CVE-2022-22955, N/A N/A Unaffected N/A N/A
3.3.4, CVE-2022-22956
3.3.3
3.3.6,
vIDM 3.3.5, Linux CVE-2022-22957, 9.1 critical KB88099 KB88098 FAQ
3.3.4, CVE-2022-22958
3.3.3
3.3.6,
vIDM 3.3.5, Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ
3.3.4,
3.3.3
3.3.6,
vIDM 3.3.5, Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ
3.3.4,
3.3.3
3.3.6,
vIDM 3.3.5, Linux CVE-2022-22961 5.3 moderate KB88099 None FAQ
3.3.4,
3.3.3
Response Matrix - vRealize Automation (vIDM):
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
CVE-2022-22954,
CVE-2022-22955,
vRealize CVE-2022-22956,
Automation 8.x Linux CVE-2022-22957, N/A N/A Unaffected N/A N/A
[1] CVE-2022-22958,
CVE-2022-22959,
CVE-2022-22960,
CVE-2022-22961
vRealize
Automation 7.6 Linux CVE-2022-22954 N/A N/A Unaffected N/A N/A
(vIDM)
vRealize CVE-2022-22955,
Automation 7.6 Linux CVE-2022-22956 N/A N/A Unaffected N/A N/A
(vIDM)
vRealize CVE-2022-22957,
Automation 7.6 Linux CVE-2022-22958 9.1 critical KB88099 KB88098 FAQ
(vIDM) [2]
vRealize
Automation 7.6 Linux CVE-2022-22959 8.8 important KB88099 KB88098 FAQ
(vIDM) [2]
vRealize
Automation 7.6 Linux CVE-2022-22960 7.8 important KB88099 KB88098 FAQ
(vIDM) [2]
vRealize
Automation 7.6 Linux CVE-2022-22961 N/A N/A Unaffected N/A N/A
(vIDM)
[1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM.
If vIDM has been deployed with vRA 8.x, fixes should be applied directly to
vIDM.
[2] vRealize Automation 7.6 is affected since it uses embedded vIDM.
Impacted Product Suites that Deploy Response Matrix Components:
Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional
On Version Documentation
CVE-2022-22954, 9.8,
VMware CVE-2022-22957, 9.1,
Cloud 4.x Any CVE-2022-22958, 9.1, critical KB88099 KB88098 FAQ
Foundation CVE-2022-22959, 8.8,
(vIDM) CVE-2022-22960, 7.8,
CVE-2022-22961 5.3
VMware CVE-2022-22957, 9.1,
Cloud 3.x Any CVE-2022-22958, 9.1, critical KB88099 KB88098 FAQ
Foundation CVE-2022-22959, 8.8,
(vRA) CVE-2022-22960 7.8
vRealize CVE-2022-22954, 9.8,
Suite CVE-2022-22957, 9.1,
Lifecycle 8.x Any CVE-2022-22958, 9.1, critical KB88099 KB88098 FAQ
Manager CVE-2022-22959, 8.8,
(vIDM) CVE-2022-22960, 7.8,
CVE-2022-22961 5.3
4. References
Fixed Version(s): https://kb.vmware.com/s/article/88099
Workarounds: https://kb.vmware.com/s/article/88098
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22955
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22959
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22960
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22961
FIRST CVSSv3 Calculator:
CVE-2022-22954: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22955: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22956: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22957: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-22958: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-22959: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-22960: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/
PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2022-22961: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/
PR:N/UI:N/S:U/C:L/I:N/A:N
5. Change Log
2022-04-06: VMSA-2022-0011
Initial security advisory.
2022-04-13: VMSA-2022-0011.1
VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the
wild.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYld0e+NLKJtyKPYoAQhGQQ/7BBFQGkbKLB+w5/QipcSUEHEw25U6DoOi
Tb9/UWVaKvf7tZ/NgcfwgRr4cvWFjNiyevxpyjeNTdRjczYr0l2HvbRRcAyV7dB8
fGdT1aEX8zK0bZA09BmGmJm64QDnjaJu8ZtFsmgXHu/71JpR37XpUOOaGMtxZfe2
zbvEzCWarm9SX9WZn270Ge4De0HIqsIRL0WTo0MSNJtGmCugHtnG0aK+6E5o1ZIZ
1TQvTjpVj8mKKA6RJ8QySLcnyylGTNap7CrxpJe9dkgO+hGf/29mTuPI8IowcYnl
9KvHmB6VxChkRgobwO40Lh28PSH9l/u2uub06i/eA6NUUKlrVG7YqnVsgaqZLIIm
EydfSFBU1d6K8qNBxiGv544p5xL6RuQFe/BHroUBC5XRd79MuY1emTqnZQsMTYS8
Hjzfs+FLW8QObhiq8DcQWjR/jv8PC0a0UqrXQvY2j7yrs+cdvSSOrrqcIz8dAT8+
5hviZ9OMIh8O7EDQVzBlAZUwvtOl/PV6lBAl+YlU2B1jQBgI7hr90P3reb/XUjOI
qldHm/n8HbG6CKaAtQY8w0kdqcDcYvVdsOrVNcfWs2d0YaxVEcwV2sFxByaFeGsf
+jVnxkpkWByO4dmvuvKlQ9quxvMb6yFXoMqVgmK+p8VBe/4Ey+dn3SeljvGGC+iZ
Og3DSMDfPfI=
=/IS7
-----END PGP SIGNATURE-----