Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.2443 Critical Severity - VMSA-2022-0014 - VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities 19 May 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware vRealize Automation (vRA) VMware Cloud Foundation vRealize Suite Lifecycle Manager Publisher: VMware Operating System: Linux variants Virtualisation Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-22973 CVE-2022-22972 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2022-0014.html Comment: CVSS (Max): 9.8 CVE-2022-22972 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Critical Advisory ID: VMSA-2022-0014 CVSSv3 Range: 7.8-9.8 Issue Date: 2022-05-18 Updated On: 2022-05-18 CVE(s): CVE-2022-22972, CVE-2022-22973 Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. 1. Impacted Products o VMware Workspace ONE Access (Access) o VMware Identity Manager (vIDM) o VMware vRealize Automation (vRA) o VMware Cloud Foundation o vRealize Suite Lifecycle Manager 2. Introduction Multiple vulnerabilities were privately reported to VMware. Patches are available to remediate these vulnerabilities in affected VMware products. 3a. Authentication Bypass Vulnerability (CVE-2022-22972) Description VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Known Attack Vectors A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Resolution To remediate CVE-2022-22972, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds Workarounds for CVE-2022-22972 have been documented in the VMware Knowledge Base articles listed in the 'Workarounds' column of the 'Response Matrix' below. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0014-qna Notes None. Acknowledgements VMware would like to thank Bruno Lopez of Innotec Security for reporting this vulnerability to us. 3b. Local Privilege Escalation Vulnerability (CVE-2022-22973) Description VMware Workspace ONE Access and Identity Manager contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. Known Attack Vectors A malicious actor with local access can escalate privileges to 'root'. Resolution To remediate CVE-2022-22973 apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. Workarounds None. Additional Documentation A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0014-qna Notes None. Acknowledgements VMware would like to thank Kai Zhao of ToTU Security Team and Steven Yu for independently reporting this issue to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Access 21.08.0.1, Linux CVE-2022-22972 9.8 critical KB88438 KB88433 FAQ 21.08.0.0 Access 21.08.0.1, Linux CVE-2022-22973 7.8 important KB88438 None FAQ 21.08.0.0 Access 20.10.0.1, Linux CVE-2022-22972 9.8 critical KB88438 KB88433 FAQ 20.10.0.0 Access 20.10.0.1, Linux CVE-2022-22973 7.8 important KB88438 None FAQ 20.10.0.0 3.3.6, vIDM 3.3.5, Linux CVE-2022-22972 9.8 critical KB88438 KB88433 FAQ 3.3.4, 3.3.3 3.3.6, vIDM 3.3.5, Linux CVE-2022-22973 7.8 important KB88438 None FAQ 3.3.4, 3.3.3 vRealize CVE-2022-22972, Automation 8.x Linux CVE-2022-22973 N/A N/A Unaffected N/A N/A [1] vRealize Automation 7.6 Linux CVE-2022-22972 9.8 critical KB88438 KB88433 FAQ (vIDM) [2] vRealize Automation 7.6 Linux CVE-2022-22973 N/A N/A Unaffected N/A N/A (vIDM) [1] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM. [2] vRealize Automation 7.6 is affected since it uses embedded vIDM. Impacted Product Suites that Deploy Response Matrix Components: Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation VMware 4.3.x, Cloud 4.2.x, Any CVE-2022-22972 9.8 critical KB88438 KB88433 FAQ Foundation 4.1, (vIDM) 4.0.x VMware 4.3.x, Cloud 4.2.x, Any CVE-2022-22973 7.8 important KB88438 None FAQ Foundation 4.1, (vIDM) 4.0.x VMware Cloud 3.x Any CVE-2022-22972 9.8 critical KB88438 KB88433 FAQ Foundation (vRA) vRealize Suite Lifecycle 8.x Any CVE-2022-22972 9.8 critical KB88438 KB88433 FAQ Manager (vIDM) vRealize Suite Lifecycle 8.x Any CVE-2022-22973 7.8 important KB88438 None FAQ Manager (vIDM) 4. References Fixed Version(s): https://kb.vmware.com/s/article/88438 Workarounds: https://kb.vmware.com/s/article/88433 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22972 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22973 FIRST CVSSv3 Calculator: CVE-2022-22972: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-22973: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 5. Change Log 2022-05-18: VMSA-2022-0014 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYoWzMMkNZI30y1K9AQg7nxAAoBeBgcywRgyFofgOMhQaX4jgpZgQhT3n 0oVOLR8SQ+pm1NdCrBmTLndwKFdeMAufyaHMdU/PRhfrlnmkp1gDV5dIaK1AyrX1 PD23UMg1VwG8LFvmKYHrNV+++Uh5kbEDP0RA2/KOX8aKHg+0YKQEd3fDsxQhbmVA +NiySe2U5nNaqPBa2YfAL11NyLuyGFfVbHBlK+4weunHF4B1LDs78F11NPs+8yID Uhw+xjwtLtVzHdx1gsfLDh7+PdfpVt9ZqHaJgs6fRlkIhpRog+zTP22u7jbteCKY eWixhhZNiATGqzjeT+lSgZy7SThmXN9S/4bZTkF7x1Rvo0m8qmg8idUHX+uwELUJ twQ9Fh0DH5Shm08cGrR/pfkU/utgWkLnsKsbumXLzsB8Z9GF6mnB1BIR+mdkRiI3 ZBwfPGcKEIGhsBmlnVWGHu1Iw7q3bvYx3Tlzy6fpeZ6KDH5YByIEJbit6EITWCPD osIxqPU3uBSQf+hn/Kkf+CnGIgbBN/MRy8/KtDYRxKDeYrVfgQiJjnH/XsvjHj41 ycoLW8a0GAXkoE7W0jkycZMt/PnsxsEQEn/pCc1ynq97WecRBJg7TDTwIMFVNT3+ D2eo1bpsXiwjKQ7s8jaRcE8hMMOoP7bKAXJwZ6mZU5pujz3I/RvoFYqmQuFO+c8M B1u8g7qINRk= =AMOX -----END PGP SIGNATURE-----