On Tuesday, August 2, 2022, VMware disclosed a critical-severity authentication bypass vulnerability (CVE-2022-31656) impacting multiple VMware products, including VMware’s Workspace ONE Access, Identity Manager (vIDM), and vRealize automation. If successfully exploited, the vulnerability could allow a threat actor with network access to the user interface to obtain administrative access without needing to authenticate.
In addition to the critical-severity vulnerability, VMware disclosed several high and medium severity vulnerabilities, which could lead to Remote Code Execution (RCE), URL injection, Local Privilege Escalation (LPE), Cross-site Scripting (XSS), or path traversal if successfully exploited. All of the vulnerabilities were discovered and responsibly reported to VMware by security researchers and security hotfixes are available to remediate all vulnerabilities.
Affected Products:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- Impacted if vIDM is used within the vRA environment
- VMware Cloud Foundation (VCF)
- Impacted if vIDM is used within the VCF environment
- vRealize Suite Lifecycle Manager (vRSLCM)
- Impacted if vIDM is used within the vRSLCM environment
Petrus Viet, a security researcher that responsibly disclosed three of the patched vulnerabilities, including CVE-2022-31656, plans to publish a technical write up and PoC for CVE-2022-31656 and CVE-2022-31659 in the near future.
By chaining both vulnerabilities together, a threat actor would be able to obtain administrative access and the ability to trigger remote code execution. Upon the technical write up publication, we assess threat actors will quickly produce multiple PoC exploits to target organizations still vulnerable.
Historically, threat actors, including state-sponsored groups, have exploited similar vulnerabilities in VMware products to obtain initial access and conduct intrusions. We strongly recommend review the recommendations below for guidance on how to properly mitigate these vulnerabilities.
CVE Identifier | Vulnerability Type | CVSS v3 | Severity |
CVE-2022-31656 | Authentication Bypass | 9.8 | Critical |
CVE-2022-31658 | JDBC Injection RCE | 8.0 | High |
CVE-2022-31659 | SQL Injection RCE | 8.0 | High |
CVE-2022-31660, CVE-2022-31661 |
Local Privilege Escalation | 7.8 | High |
CVE-2022-31664 | Local Privilege Escalation | 7.8 | High |
CVE-2022-31665 | JDBC Injection RCE | 7.6 | High |
CVE-2022-31657 | URL Injection | 5.9 | Medium |
CVE-2022-31662 | Path Traversal | 5.3 | Medium |
CVE-2022-31663 | Cross-site Scripting | 4.7 | Medium |
Recommendations for CVE-2022-31656
Recommendation #1: Install Vendor Supplied Hotfixes for Affected Products
We recommend applying the latest relevant security hotfixes to the impacted products to mitigate the vulnerabilities.
Product | Version(s) | Hotfix |
VMware Workspace ONE Access Appliance | 21.08.0.1 | HW-160130-Appliance-21.08.0.1 |
VMware Workspace ONE Access Appliance | 21.08.0.0 | HW-160130-Appliance-21.08.0.0 |
VMware Identity Manager Appliance & Connector | 3.3.6 | HW-160130-Appliance-3.3.6
HW-160130-Connector-3.3.6 |
VMware Identity Manager Appliance & Connector | 3.3.5 | HW-160130-Appliance-3.3.5
HW-160130-Connector-3.3.5 |
VMware Identity Manager Appliance & Connector | 3.3.4 | HW-160130-Appliance-3.3.4
HW-160130-Connector-3.3.4 |
VMware Identity Manager Connector | 19.03.0.1 | HW-160130-Connector-19.03.0.1 |
Recommendation #2: Implement Vendor Supplied Workarounds if Unable to Patch
If you are unable to patch CVE-2022-31656 immediately, we recommend implementing the available workaround until your organization can properly remediate the vulnerability by applying the security hotfix. Please note that there are no applicable workarounds for the other disclosed vulnerabilities. The workaround instructions are available here:
https://kb.vmware.com/s/article/89084
Note: VMware notes some functional impact when the workaround is deployed.
References