-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2443
Critical Severity - VMSA-2022-0014 - VMware Workspace ONE Access, Identity
 Manager and vRealize Automation updates address multiple vulnerabilities
                                19 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Workspace ONE Access (Access)
                   VMware Identity Manager (vIDM)
                   VMware vRealize Automation (vRA)
                   VMware Cloud Foundation
                   vRealize Suite Lifecycle Manager
Publisher:         VMware
Operating System:  Linux variants
                   Virtualisation
                   Windows
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-22973 CVE-2022-22972 

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2022-0014.html

Comment: CVSS (Max):  9.8 CVE-2022-22972 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: VMware
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Critical

Advisory ID: VMSA-2022-0014
CVSSv3 Range: 7.8-9.8
Issue Date: 2022-05-18
Updated On: 2022-05-18
CVE(s): CVE-2022-22972, CVE-2022-22973
Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation
updates address multiple vulnerabilities.


1. Impacted Products

  o VMware Workspace ONE Access (Access)
  o VMware Identity Manager (vIDM)
  o VMware vRealize Automation (vRA)
  o VMware Cloud Foundation
  o vRealize Suite Lifecycle Manager


2. Introduction

Multiple vulnerabilities were privately reported to VMware. Patches are
available to remediate these vulnerabilities in affected VMware products.


3a. Authentication Bypass Vulnerability (CVE-2022-22972)

Description

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain
an authentication bypass vulnerability affecting local domain users. VMware has
evaluated the severity of this issue to be in the Critical severity range with
a maximum CVSSv3 base score of 9.8. 

Known Attack Vectors

A malicious actor with network access to the UI may be able to obtain
administrative access without the need to authenticate.

Resolution

To remediate CVE-2022-22972, apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.

Workarounds

Workarounds for CVE-2022-22972 have been documented in the VMware Knowledge
Base articles listed in the 'Workarounds' column of the 'Response Matrix'
below.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0014-qna

Notes

None.

Acknowledgements

VMware would like to thank Bruno Lopez of Innotec Security for reporting this
vulnerability to us.


3b. Local Privilege Escalation Vulnerability (CVE-2022-22973)

Description

VMware Workspace ONE Access and Identity Manager contain a privilege escalation
vulnerability. VMware has evaluated the severity of this issue to be in the 
Important severity range with a maximum CVSSv3 base score of 7.8.

Known Attack Vectors

A malicious actor with local access can escalate privileges to 'root'. 

Resolution

To remediate CVE-2022-22973 apply the patches listed in the 'Fixed Version'
column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

A supplemental blog post was created for additional clarification. Please see:
https://via.vmw.com/vmsa-2022-0014-qna

Notes

None.

Acknowledgements

VMware would like to thank Kai Zhao of ToTU Security Team and Steven Yu for
independently reporting this issue to us.


Response Matrix

Product    Version    Running CVE Identifier  CVSSv3 Severity  Fixed      Workarounds Additional
                      On                                       Version                Documentation
Access     21.08.0.1, Linux   CVE-2022-22972  9.8    critical  KB88438    KB88433     FAQ
           21.08.0.0
Access     21.08.0.1, Linux   CVE-2022-22973  7.8    important KB88438    None        FAQ
           21.08.0.0
Access     20.10.0.1, Linux   CVE-2022-22972  9.8    critical  KB88438    KB88433     FAQ
           20.10.0.0
Access     20.10.0.1, Linux   CVE-2022-22973  7.8    important KB88438    None        FAQ
           20.10.0.0
           3.3.6,
vIDM       3.3.5,     Linux   CVE-2022-22972  9.8    critical  KB88438    KB88433     FAQ
           3.3.4,
           3.3.3
           3.3.6,
vIDM       3.3.5,     Linux   CVE-2022-22973  7.8    important KB88438    None        FAQ
           3.3.4,
           3.3.3
vRealize                      CVE-2022-22972,
Automation 8.x        Linux   CVE-2022-22973  N/A    N/A       Unaffected N/A         N/A
[1]
vRealize
Automation 7.6        Linux   CVE-2022-22972  9.8    critical  KB88438    KB88433     FAQ
(vIDM) [2]
vRealize
Automation 7.6        Linux   CVE-2022-22973  N/A    N/A       Unaffected N/A         N/A
(vIDM)

[1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM.
If vIDM has been deployed with vRA 8.x, fixes should be applied directly to
vIDM.
[2] vRealize Automation 7.6 is affected since it uses embedded vIDM.


Impacted Product Suites that Deploy Response Matrix Components:

Product    Version Running CVE Identifier CVSSv3 Severity  Fixed   Workarounds Additional
                   On                                      Version             Documentation
VMware     4.3.x,
Cloud      4.2.x,  Any     CVE-2022-22972 9.8    critical  KB88438 KB88433     FAQ
Foundation 4.1,
(vIDM)     4.0.x
VMware     4.3.x,
Cloud      4.2.x,  Any     CVE-2022-22973 7.8    important KB88438 None        FAQ
Foundation 4.1,
(vIDM)     4.0.x
VMware
Cloud      3.x     Any     CVE-2022-22972 9.8    critical  KB88438 KB88433     FAQ
Foundation
(vRA)
vRealize
Suite
Lifecycle  8.x     Any     CVE-2022-22972 9.8    critical  KB88438 KB88433     FAQ
Manager
(vIDM)
vRealize
Suite
Lifecycle  8.x     Any     CVE-2022-22973 7.8    important KB88438 None        FAQ
Manager
(vIDM)


4. References

Fixed Version(s): https://kb.vmware.com/s/article/88438
Workarounds: https://kb.vmware.com/s/article/88433


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22972
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22973


FIRST CVSSv3 Calculator:

CVE-2022-22972: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE-2022-22973: 
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H


5. Change Log

2022-05-18: VMSA-2022-0014
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  
security-announce@lists.vmware.com  
bugtraq@securityfocus.com  
fulldisclosure@seclists.org 

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055 

VMware Security Advisories
https://www.vmware.com/security/advisories 

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  
https://blogs.vmware.com/security 

Twitter
https://twitter.com/VMwareSRC

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYoWzMMkNZI30y1K9AQg7nxAAoBeBgcywRgyFofgOMhQaX4jgpZgQhT3n
0oVOLR8SQ+pm1NdCrBmTLndwKFdeMAufyaHMdU/PRhfrlnmkp1gDV5dIaK1AyrX1
PD23UMg1VwG8LFvmKYHrNV+++Uh5kbEDP0RA2/KOX8aKHg+0YKQEd3fDsxQhbmVA
+NiySe2U5nNaqPBa2YfAL11NyLuyGFfVbHBlK+4weunHF4B1LDs78F11NPs+8yID
Uhw+xjwtLtVzHdx1gsfLDh7+PdfpVt9ZqHaJgs6fRlkIhpRog+zTP22u7jbteCKY
eWixhhZNiATGqzjeT+lSgZy7SThmXN9S/4bZTkF7x1Rvo0m8qmg8idUHX+uwELUJ
twQ9Fh0DH5Shm08cGrR/pfkU/utgWkLnsKsbumXLzsB8Z9GF6mnB1BIR+mdkRiI3
ZBwfPGcKEIGhsBmlnVWGHu1Iw7q3bvYx3Tlzy6fpeZ6KDH5YByIEJbit6EITWCPD
osIxqPU3uBSQf+hn/Kkf+CnGIgbBN/MRy8/KtDYRxKDeYrVfgQiJjnH/XsvjHj41
ycoLW8a0GAXkoE7W0jkycZMt/PnsxsEQEn/pCc1ynq97WecRBJg7TDTwIMFVNT3+
D2eo1bpsXiwjKQ7s8jaRcE8hMMOoP7bKAXJwZ6mZU5pujz3I/RvoFYqmQuFO+c8M
B1u8g7qINRk=
=AMOX
-----END PGP SIGNATURE-----