Skip to main content

Multiple Critical Vulnerabilities Disclosed in VMware Products

On Wednesday, 6 April 2022 VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.

In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities.

Affected Products:

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

Vulnerability

CVE Identifier

Server-side Template Injection Remote Code Execution

CVE-2022-22954

OAuth2 ACS Authentication Bypass

CVE-2022-22955, CVE-2022-22956

JDBC Injection Remote Code Execution

CVE-2022-22957, CVE-2022-22958

Cross Site Request Forgery

CVE-2022-22959

Local Privilege Escalation

CVE-2022-22960

Information Disclosure

CVE-2022-22961

VMWare Recommendations

Recommendation #1: Install Vendor Supplied Patches for Affected Products

Impacted Product

Affected Version(s)

Running On

CVE Identifier

Severity

Fixed Version

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22954

Critical - 9.8

KB88099

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22955,
CVE-2022-22956

Critical - 9.8

KB88099

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22957,
CVE-2022-22958

Critical - 9.1

KB88099

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22959

High- 8.8

KB88099

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22960

High - 7.8

KB88099

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22961

Medium - 5.3

KB88099

 

Impacted Product

Affected Version(s)

Running On

CVE Identifier

Severity

Fixed Version

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22954

Critical - 9.8

KB88099

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22957,
CVE-2022-22958

Critical - 9.1

KB88099

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22957,
CVE-2022-22958

Critical - 9.1

KB88099

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22959

High - 8.8

KB88099

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22959

High - 8.8

KB88099

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22960

High - 7.8

KB88099

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22960

High - 7.8

KB88099

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22961

Medium - 5.3

KB88099

 

Impacted Product Suites

Affected Version(s)

Running On

CVE Identifier

Severity

Fixed Version

VMware Cloud Foundation (vIDM)

4.x

Any

CVE-2022-22954,
CVE-2022-22957,
CVE-2022-22958,
CVE-2022-22959,
CVE-2022-22960,
CVE-2022-22961

Critical - 9.8
Critical - 9.1
Critical - 9.1
High - 8.8
High - 7.8
Medium - 5.3

KB88099

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-22957,
CVE-2022-22958,
CVE-2022-22959,
CVE-2022-22960

Critical - 9.1
Critical - 9.1
High - 8.8
High - 7.8

KB88099

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2022-22954,
CVE-2022-22957,
CVE-2022-22958,
CVE-2022-22959,
CVE-2022-22960,
CVE-2022-22961

Critical - 9.8
Critical - 9.1
Critical - 9.1
High - 8.8
High - 7.8
Medium - 5.3

KB88099

 

Recommendation #2: Implement Vendor Supplied Workarounds if Unable to Patch

If you are unable to patch immediately, we recommend implementing the available workarounds until your organisation can properly remediate the vulnerability by patching. Please note that there are no applicable workarounds for the moderate-severity Information Disclosure vulnerability (CVE-2022-22961).

Impacted Product

Affected Version(s)

Running On

CVE Identifier

Severity

Workaround

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22954

Critical - 9.8

KB88098

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22955,
CVE-2022-22956

Critical - 9.8

KB88098

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22957,
CVE-2022-22958

Critical - 9.1

KB88098

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22959

High - 8.8

KB88098

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0,
20.10.0.1, 21.10.0.0

Linux

CVE-2022-22960

High - 7.8

KB88098

 

Impacted Product

Affected Version(s)

Running On

CVE Identifier

Severity

Workaround

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22954

Critical - 9.8

KB88098

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22957,
CVE-2022-22958

Critical - 9.1

KB88098

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22957,
CVE-2022-22958

Critical - 9.1

KB88098

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22959

High - 8.8

KB88098

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22959

High - 8.8

KB88098

VMware Identity Manager (vIDM)

3.3.6, 3.3.5, 3.3.4, 3.3.3

Linux

CVE-2022-22960

High - 7.8

KB88098

vRealize Automation (vIDM)

7.6

Linux

CVE-2022-22960

High - 7.8

KB88098

 

Impacted Product Suites

Affected Version(s)

Running On

CVE Identifier

Severity

Workaround

VMware Cloud Foundation (vIDM)

4.x

Any

CVE-2022-22954,
CVE-2022-22957,
CVE-2022-22958,
CVE-2022-22959,
CVE-2022-22960

Critical - 9.8
Critical - 9.1
Critical - 9.1
High- 8.8
HIgh - 7.8

KB88098

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2022-22957,
CVE-2022-22958,
CVE-2022-22959,
CVE-2022-22960

Critical - 9.1
Critical - 9.1
High - 8.8
High - 7.8

KB88098

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2022-22954,
CVE-2022-22957,
CVE-2022-22958,
CVE-2022-22959,
CVE-2022-22960

Critical - 9.8
Critical - 9.1
Critical - 9.1
High - 8.8
High - 7.8

KB88098

References

About the Author

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

Profile Photo of Sule Tatar