VMware released the security advisory to address a critical authentication bypass security flaw, tracked as CVE-2022-31656, impacting local domain users in multiple products. The vulnerability can be exploited remotely and unauthenticated attackers can exploit the vulnerability to gain admin privileges.
The vulnerability has been rated critical and received a CVSS v3 base score of 9.8, impacting Workspace ONE Access, Identity Manager, and vRealize Automation products.
The advisory reads - “A malicious actor with network access to the UI may obtain administrative access without needing to authenticate.”
Additionally, VMware also released the fix for three remote code execution vulnerabilities and a couple of Local Privilege Escalation Vulnerability An authentication bypass means that an attacker with network access to Workspace ONE Access, VMware Identity Manager, and vRealize Automation can obtain administrator access. Remote code execution (RCE) means that an attacker can trick the components into executing commands that aren’t authorized. Privilege escalation means that an attacker with local access can become root on the virtual appliance. It is extremely important that users quickly take steps to patch or mitigate these issues in on-premises deployments.
Vulnerability Patched by VMware
| CVE ID | Vulnerability |
|---|---|
| CVE-2022-31657 | URL Injection Vulnerability |
| CVE-2022-31658 | JDBC Injection Remote Code Execution Vulnerability |
| CVE-2022-31659 | SQL injection Remote Code Execution Vulnerability |
| CVE-2022-31660 | Local Privilege Escalation Vulnerability |
| CVE-2022-31661 | Local Privilege Escalation Vulnerability |
| CVE-2022-31662 | Path traversal vulnerability |
| CVE-2022-31663 | Cross-site scripting (XSS) vulnerability |
| CVE-2022-31664 | Local Privilege Escalation Vulnerability |
| CVE-2022-31665 | JDBC Injection Remote Code Execution Vulnerability |
The above issues impact the following products:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager