Advisory for VMware Security Update

  • NIC-CERT/2022-08/342
  • Date: 2022-08-03
  • CVE ID: Multiple
  • Severity: Critical

Description:

A vulnerability has been found in VMware product which can be exploited by an attacker to take control of the affected system.

Security Issues Fixed:

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerabilityaffecting local domain users. VMware has evaluated the severity of this issue to be in theCritical severity rangewith a maximum CVSSv3 base score of9.8. VMware Workspace ONE Access, Identity Manager and vRealize Automationcontain a remote code execution vulnerability. VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware Workspace ONE Access, Identity Manager,ConnectorsandvRealize Automation contain a path traversal vulnerability. VMware Workspace ONE Access, Identity Manager and vRealize Automationcontain a reflectedcross-site scripting (XSS)vulnerability.

Affected Products and Solution:

Product

Version

CVE Identifier

Fixed Version

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31656

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31658

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31659

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31660, CVE-2022-31661

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31664

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31665

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31657

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31662

KB89096

VMware Workspace ONE Access

21.08.0.1, 21.08.0.0

CVE-2022-31663

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31656

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31658

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31659

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31660, CVE-2022-31661

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31664

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31665

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31657

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31662

KB89096

vIDM

3.3.6,

3.3.5,

3.3.4

CVE-2022-31663

KB89096

Access Connector

22.05

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

Unaffected

Access Connector

21.08.0.1, 21.08.0.0

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

Unaffected

vIDM Connector

3.3.6,

3.3.5,

3.3.4

CVE-2022-31662

KB89096

vIDM Connector

3.3.6,

3.3.5,

3.3.4

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

Unaffected

vIDM Connector

19.03.0.1

CVE-2022-31662

KB89096

vIDM Connector

19.03.0.1

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

Unaffected

vRealize Automation [1]

8.x

CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665

Unaffected

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31656

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31658

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31659

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31660, CVE-2022-31661

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31664

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31665

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31657

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31662

KB89096

vRealize Automation (vIDM) [2]

7.6

CVE-2022-31663

KB89096

VMware Cloud Foundation (vIDM)

4.4.x,

4.3.x,

4.2.x

CVE-2022-31656

KB89096

VMware Cloud Foundation (vIDM)

4.4.x,

4.3.x,

4.2.x

CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663

KB89096

vRealize Suite Lifecycle Manager (vIDM)

8.x

CVE-2022-31656

KB89096

vRealize Suite Lifecycle Manager (vIDM)

8.x

CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31657, CVE-2022-31662, CVE-2022-31663

KB89096

VMware Cloud Foundation (vRA)

3.x

CVE-2022-31656

KB89096

VMware Cloud Foundation (vRA)

3.x

CVE-2022-31658, CVE-2022-31660, CVE-2022-31661, CVE-2022-31664, CVE-2022-31665, CVE-2022-31662, CVE-2022-31663

KB89096

VMware Cloud Foundation (vRA)

3.x

CVE-2022-31659

Unaffected

VMware Cloud Foundation (vRA)

3.x

CVE-2022-31657

Unaffected


References:

https://www.vmware.com/security/advisories.html

https://kb.vmware.com/s/article/89096