On Wednesday, April 6, 2022, VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.
In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities.
Affected Products:
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
Vulnerability | CVE Identifier |
Server-side Template Injection Remote Code Execution | CVE-2022-22954 |
OAuth2 ACS Authentication Bypass | CVE-2022-22955, CVE-2022-22956 |
JDBC Injection Remote Code Execution | CVE-2022-22957, CVE-2022-22958 |
Cross Site Request Forgery | CVE-2022-22959 |
Local Privilege Escalation | CVE-2022-22960 |
Information Disclosure | CVE-2022-22961 |
VMWare Recommendations
Recommendation #1: Install Vendor Supplied Patches for Affected Products
Impacted Product | Affected Version(s) | Running On | CVE Identifier | Severity | Fixed Version |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22954 | Critical – 9.8 | KB88099 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22955, CVE-2022-22956 |
Critical – 9.8 | KB88099 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22957, CVE-2022-22958 |
Critical – 9.1 | KB88099 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22959 | High- 8.8 | KB88099 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22960 | High – 7.8 | KB88099 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22961 | Medium – 5.3 | KB88099 |
Impacted Product | Affected Version(s) | Running On | CVE Identifier | Severity | Fixed Version |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22954 | Critical – 9.8 | KB88099 |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22957, CVE-2022-22958 |
Critical – 9.1 | KB88099 |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22957, CVE-2022-22958 |
Critical – 9.1 | KB88099 |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22959 | High – 8.8 | KB88099 |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22959 | High – 8.8 | KB88099 |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22960 | High – 7.8 | KB88099 |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22960 | High – 7.8 | KB88099 |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22961 | Medium – 5.3 | KB88099 |
Impacted Product Suites | Affected Version(s) | Running On | CVE Identifier | Severity | Fixed Version |
VMware Cloud Foundation (vIDM) | 4.x | Any | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 |
Critical – 9.8 Critical – 9.1 Critical – 9.1 High – 8.8 High – 7.8 Medium – 5.3 |
KB88099 |
VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 |
Critical – 9.1 Critical – 9.1 High – 8.8 High – 7.8 |
KB88099 |
vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 |
Critical – 9.8 Critical – 9.1 Critical – 9.1 High – 8.8 High – 7.8 Medium – 5.3 |
KB88099 |
Recommendation #2: Implement Vendor Supplied Workarounds if Unable to Patch
If you are unable to patch immediately, we recommend implementing the available workarounds until your organization can properly remediate the vulnerability by patching. Please note that there are no applicable workarounds for the moderate-severity Information Disclosure vulnerability (CVE-2022-22961).
Impacted Product | Affected Version(s) | Running On | CVE Identifier | Severity | Workaround |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22954 | Critical – 9.8 | KB88098 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22955, CVE-2022-22956 |
Critical – 9.8 | KB88098 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22957, CVE-2022-22958 |
Critical – 9.1 | KB88098 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22959 | High – 8.8 | KB88098 |
VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 21.10.0.0 |
Linux | CVE-2022-22960 | High – 7.8 | KB88098 |
Impacted Product | Affected Version(s) | Running On | CVE Identifier | Severity | Workaround |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22954 | Critical – 9.8 | KB88098 |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22957, CVE-2022-22958 |
Critical – 9.1 | KB88098 |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22957, CVE-2022-22958 |
Critical – 9.1 | KB88098 |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22959 | High – 8.8 | KB88098 |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22959 | High – 8.8 | KB88098 |
VMware Identity Manager (vIDM) | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | Linux | CVE-2022-22960 | High – 7.8 | KB88098 |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2022-22960 | High – 7.8 | KB88098 |
Impacted Product Suites | Affected Version(s) | Running On | CVE Identifier | Severity | Workaround |
VMware Cloud Foundation (vIDM) | 4.x | Any | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 |
Critical – 9.8 Critical – 9.1 Critical – 9.1 High- 8.8 HIgh – 7.8 |
KB88098 |
VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 |
Critical – 9.1 Critical – 9.1 High – 8.8 High – 7.8 |
KB88098 |
vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 |
Critical – 9.8 Critical – 9.1 Critical – 9.1 High – 8.8 High – 7.8 |
KB88098 |
References
- VMware Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- Advisory FAQ: https://core.vmware.com/vmsa-2022-0011-questions-answers-faq
- VMware Knowledge Base – Workaround Instructions: https://kb.vmware.com/s/article/88098
- VMware Knowledge Base – Patching Instructions: https://kb.vmware.com/s/article/88099
- 2020 NSA Advisory: https://www.cisa.gov/uscert/ncas/current-activity/2020/12/07/nsa-releases-advisory-russian-state-sponsored-malicious-cyber