VMWare published an advisory on 6th April 2022 in which it disclosed 10 new vulnerabilities in VMWare products. One of the ten vulnerabilities is rated Critical, six are rated Important, and three are rated Moderate in severity. All the ten vulnerabilities are assigned CVSS scores from 9.8 to 4.7. Attackers could abuse these vulnerabilities to carry out authentication bypass, remote code execution, privilege escalation, URL injection, path traversal, and cross-site scripting (XSS) attacks on vulnerable VMWare products like VMware Workspace ONE Access (Access), VMware Workspace ONE Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. It is highly recommended that all the VMWare product owners mitigate or patch the 10 new vulnerabilities in these VMWare products (CVE-2022-31656 to CVE-2022-31665).
Table of Contents
Summary of the 10 New Vulnerabilities in Vmware Products:
Out of 10 vulnerabilities, 1 is critical, 6 are high, and 3 are medium in severity as per the CVSS 3.0 rating system.
| CVE ID | Description | CVSS Score | Severity |
| CVE-2022-31656 | An authentication bypass vulnerability affecting local domain users in VMware Workspace ONE Access, Identity Manager and vRealize Automation. | 9.8 | Critical |
| CVE-2022-31658 | A remote code execution vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation. | 8.0 | High |
| CVE-2022-31659 | A remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. | 8.0 | High |
| CVE-2022-31660 & CVE-2022-31661 | Privilege escalation vulnerabilities in VMware Workspace ONE Access, Identity Manager and vRealize Automation. | 7.8 | High |
| CVE-2022-31664 | Local Privilege Escalation Vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation. | 7.8 | High |
| CVE-2022-31665 | A remote code execution vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation. | 7.6 | High |
| CVE-2022-31657 | A URL injection vulnerability in VMware Workspace ONE Access and Identity Manager. | 5.9 | Medium |
| CVE-2022-31662 | A path traversal vulnerability in VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation. | 5.3 | Medium |
| CVE-2022-31663 | A reflected cross-site scripting (XSS) vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation. | 4.7 | Medium |
Vmware Products Vulnerable to the 10 New Vulnerabilities (Cve-2022-31656 to Cve-2022-31665):
There are five products that VMWare has listed in its advisory. They are:
- VMware Workspace ONE Access (Access): 21.08.0.1, 21.08.0.0
- VMware Workspace ONE Access Connector (Access Connector): 22.05, 21.08.0.1, 21.08.0.0
- VMware Identity Manager (vIDM): 3.3.6, 3.3.5, 3.3.4
- VMware Identity Manager Connector (vIDM Connector): 3.3.6, 3.3.5, 3.3.4, 19.03.0.1
- VMware vRealize Automation (vRA): 8.x, 7.6
- VMware Cloud Foundation: 4.4.x, 4.3.x, 4.2.x, 3.x
- vRealize Suite Lifecycle Manager: 8.x
How to Patch the 10 New Vulnerabilities in Vmware Products (Cve-2022-31656 to Cve-2022-31665)?
These products are impacted only if vIDM is used within their environment.
vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
vRealize Automation 7.6 is affected since it uses embedded vIDM.
1. These products are impacted only if vIDM is used within their environment.
2, vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
3. vRealize Automation 7.6 is affected since it uses embedded vIDM.
How to Patch the 10 New Vulnerabilities in Vmware Products?
VMWare has released patches to address these vulnerabilities. Please download the patches if you want to apply the patches to them. But, there are a few things to be noted before you apply the fix.
- Upgrade to Supported Versions: Please check If you are running any unsupported versions of instances. If yes, then you should upgrade your unsupported instances to supported versions no matter, even if they are vulnerable.
- Take the Backup: Don’t forget to take the backup of the appliances or a snapshot of the appliances and the data server before you do anything.
Please refer to the below table to download the patches for your VMWare products.
| Product Component | Version(s) |
| VMware Workspace ONE Access Appliance | 21.08.0.1 |
| VMware Workspace ONE Access Appliance | 21.08.0.0 |
| VMware Identity Manager Appliance & Connector | 3.3.6 |
| VMware Identity Manager Appliance & Connector | 3.3.5 |
| VMware Identity Manager Appliance & Connector | 3.3.4 |
| VMware Identity Manager Connector | 19.03.0.1 |
| VMware Realize Automation 7.6 | 7.6 |
How to Patch VMWare Products?
Note: The below procedure doesn’t apply for vRA 7.6. There is a separate patch available for vRA 7.6. Please refer to the KB 70911 to apply the patches on vRA 7.6.
Time needed: 10 minutes.
How to Patch VMWare Products?
- Login to the appliance with root privileges.
Login to the command line of the appliances using SSH.
- Download the patch (HW-160130-Appliance-<Version>.zip)
Download the patch (HW-160130-Appliance-<Version>.zip) for your product and transfer it to the appliances.
- Unzip the file.
Use this command to Unzip the downloaded file on the appliance.
# unzip HW-160130-Appliance-<Version>.zip
- Change into the unzipped directory.
Use the ‘cd’ command to change the directory.
# cd HW-160130-Appliance-<Version>
- Install the patch by running the patch script
Run the installer to install the patch.
# ./HW-160130-applyPatch.sh
Validate the patch has been successfully applied.
- Access the Workspace ONE Access Console as an administrator, and browse the System Diagnostics page. It should be green.
- You should see a flag file created as HW-160130-<version-number>-hotfix.applied (ex: HW-160130-21.08.0.1-hotfix.applied) in /usr/local/horizon/conf/flags directory if the patch is applied successfully.
2. Repeat this process on all the cluster nodes if you run cluster deployments. You can keep other nodes running in the cluster deployments.
Note:
- Once you apply the patch, the workaround will be removed automatically.
- If you upgrade the appliance, the patch is needed to apply again for the upgraded version.
- There is a separate patch available for vRA 7.6. Please refer the KB 70911.
- Don’t apply the patch on top of the problematic patch. Remove the problematic patch before applying the correct patch.
rm -rf /usr/local/horizon/conf/flags/HW-160130-<version-number>-hotfix.appliedHow to Apply the Workaround to Fixcve-2022-31656 to Cve-2022-31665?
There is a workaround for those who are not in a position to apply the permanent patches any time soon. However, they might need to compromise with the loss of certain functionalities. Please read these points carefully before making the decision to go for a workaround over a permanent fix.
- Local users may lose their login access.
- There could be chances of failing inventory sync If VMware Identity Manager is managed by vRealize Suite Lifecycle Manager.
VMWare has released workarounds to address these vulnerabilities. Please visit this KB to see the procedure to Apply the Workaround for the 10 New Vulnerabilities in VMWare products.
We hope this post will help you know how to patch the 10 new vulnerabilities in VMWare products (CVE-2022-31656 to CVE-2022-31665). Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Keep Reading:
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/278877.html