VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and Lifecycle Manager and vRealize (VMSA-2022-0011)
VMware cautions organizations to patch or mitigate several serious vulnerabilities across multiple products.
Update August 11: Updated the Proof of Concept section and Get More Information section after the release of details and PoC code from researcher at Steven Seeley, credited with the discovery of these vulnerabilities.
Update April 18: Updated the Solution section to note that the VMware advisory now indicates that CVE-2022-22960 has been exploited in the wild.
Background
On April 6, VMware published an advisory (VMSA-2022-0011) addressing eight vulnerabilities across a number of VMware products:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2022-22954 | Server-side Template Injection Remote Code Execution Vulnerability | 9.8 |
| CVE-2022-22955 | OAuth2 ACS Authentication Bypass Vulnerability | 9.8 |
| CVE-2022-22956 | OAuth2 ACS Authentication Bypass Vulnerability | 9.8 |
| CVE-2022-22957 | JDBC Injection Remote Code Execution Vulnerability | 9.1 |
| CVE-2022-22958 | JDBC Injection Remote Code Execution Vulnerability | 9.1 |
| CVE-2022-22959 | Cross SIte Request Forgery Vulnerability | 8.8 |
| CVE-2022-22960 | Local Privilege Escalation Vulnerability | 7.8 |
| CVE-2022-22961 | Information Disclosure Vulnerability | 5.3 |
Affected products include:
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
All eight vulnerabilities were disclosed to VMware by Steven Seeley, a security researcher with Qihoo 360 Vulnerability Research Institute.
Analysis
CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.
CVE-2022-22955 and CVE-2022-22956 are a pair of authentication bypass vulnerabilities in the OAuth 2.0 Access Control Services (ACS) framework within VMware Workspace ONE. Both of these vulnerabilities were assigned a CVSSv3 score of 9.8. An unauthenticated attacker could send specially crafted requests to vulnerable and exposed OAuth2.0 endpoints in VMware Workspace ONE in order to successfully authenticate to the Workspace ONE instance.
These three vulnerabilities are the only ones patched in this advisory that do not require authentication prior to exploitation. The remaining five do, and as such, have been assigned lower CVSSv3 scores.
Russian state-sponsored actors have targeted VMware Workspace ONE in the past
In December 2020, the National Security Agency revealed that Russian state-sponsored threat actors had exploited CVE-2020-4006, a command injection flaw in the administrative configurator component across a number of VMware products including Workspace ONE Access, Identity Manager, Cloud Foundation and vRealize Suite Lifecycle Manager.
While the vulnerabilities in VMSA-2022-0011 were addressed as part of a coordinated disclosure, attackers do routinely target legacy vulnerabilities.
Proof of concept
At the time this blog post was published, no proof-of-concept (PoC) exploits had been shared for any of the vulnerabilities. Update 4/13: There are now several PoCs for CVE-2022-22954 available on GitHub. Update 8/11: Hekate, a PoC chain of several vulnerabilities has been release following a presentation at Black Hat USA.
Solution
VMware released patches for the vulnerabilities in the following affected products:
| Product/Component | Affected Versions |
|---|---|
| VMware Workspace ONE Access Appliance | 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 |
| VMware Identity Manager Appliance | 3.3.3, 3.3.4, 3.3.5, 3.3.6 |
| VMware vRealize Automation | 7.6 |
VMware urges organizations to take immediate action
As part of an FAQ document for VMSA-2022-0011, VMware has stressed that these vulnerabilities “should be patched or mitigated immediately” and that the “ramifications” are “serious.” If patching these flaws is not feasible, VMware has also shared workaround instructions as a temporary solution, but states that patching is the only way to remove these flaws entirely
As of April 13, VMware updated its FAQ confirming that in-the-wild exploitation of CVE-2022-22954 has been detected.
As of April 18, the VMSA-2022-0011 advisory has been updated to reflect that CVE-2022-22960 has been exploited in the wild. However, at this time the change only appears in the notes section of the CVE description. VMware has not yet updated the FAQ page that accompanies this advisory.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Get more information
- VMWare Advisory: VMSA-2022-0011
- VMware VMSA-2022-0011 FAQ
- Workaround Instructions for VMSA-2022-0011
- Blog post from Steven Seeley on the discovery of these vulnerabilities
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Change Log
Update April 13:Updated the Solution and Proof of concept sections to confirm the availability of several proofs of concept for CVE-2022-22954 as well as confirmation from VMware that CVE-2022-22954 has been exploited in the wild.
Update August 11: Updated the Proof of Concept section and Get More Information section after the release of details and PoC code from researcher at Steven Seeley, credited with the discovery of these vulnerabilities.
Related Articles
CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud
October 23, 2024Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
October 22, 2024Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.
Oracle October 2024 Critical Patch Update Addresses 198 CVEs
October 15, 2024Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
- Vulnerability Management