Multiple Critical Vulnerability in VMware Products

Issued: Tuesday, 12 April, 2022	Last Revision: Tuesday, 12 April, 2022
Vendor: VMware	Product: Multiple products
	Severity Level: High

Summary:

VMware has released security update for- VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, vRealize Suite Lifecycle Manager, and VMware Horizon Client for Linux to address the multiple critical vulnerabilities.

These security flaws could result in a variety of negative effects, including remote code execution, authentication bypass, cross site request forgery, privilege escalation to root, and information disclosure.

Vulnerabilities can be linked for even worse outcomes and combining these vulnerabilities may result in increased severity.

CVE/Vulnerability	Description	CVSS3.0 Score
CVE-2022-22954	Server-side Template Injection Remote Code Execution Vulnerability	9.8
CVE-2022-22955	OAuth2 ACS Authentication Bypass Vulnerability	9.8
CVE-2022-22956	OAuth2 ACS Authentication Bypass Vulnerability	9.8
CVE-2022-22957	JDBC Injection Remote Code Execution Vulnerability	9.1
CVE-2022-22958	JDBC Injection Remote Code Execution Vulnerability	9.1
CVE-2022-22959	Cross Site Request Forgery Vulnerability	8.8
CVE-2022-22960	Local Privilege Escalation Vulnerability	7.8
CVE-2022-22961	Information Disclosure Vulnerability	5.3
CVE-2022-22962	Local Privilege Escalation Vulnerability	7.3
CVE-2022-22964	Local Privilege Escalation Vulnerability	7.3

Table 1: Vulnerability details

CVE/Vulnerability	Affected Product(s)	Affected Versions	Fixed Versions
CVE-2022-22954 CVE-2022-22955 CVE-2022-22956 CVE-2022-22957 CVE-2022-22958	VMware Workspace ONE Access	21.08.0.1,21.08.0.0	https://kb.vmware.com/s/article/88099
	VMware Workspace ONE Access	20.10.0.1,20.10.0.0	https://kb.vmware.com/s/article/88099
CVE-2022-22954 CVE-2022-22957 CVE-2022-22958	VMware Identity Manager (vIDM)	3.3.6, 3.3.5, 3.3.4, 3.3.3	https://kb.vmware.com/s/article/88099
CVE-2022-22957 CVE-2022-22958	vRealize Automation (vIDM)	7.6	https://kb.vmware.com/s/article/88099
CVE-2022-22954 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960 CVE-2022-22961	VMware Cloud Foundation (vIDM)	4.x	https://kb.vmware.com/s/article/88099
CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960	VMware Cloud Foundation (vIDM)	3.x	https://kb.vmware.com/s/article/88099
CVE-2022-22954 CVE-2022-22957 CVE-2022-22958 CVE-2022-22959 CVE-2022-22960 CVE-2022-22961	vRealize Suite Lifecycle Manager (vIDM)	8.x	https://kb.vmware.com/s/article/88099
CVE-2022-22962 CVE-2022-22964	Horizon Client for Linux	21.x	https://docs.vmware.com/en/VMware- Horizon-Client-for- Linux/2203/rn/vmware-horizon-clientfor-linux-2203-releasenotes/index.html

Table 2: Vulnerable versions

Recommendation:

Updates have already been made available for all the products in the “Affected Products” table, covering multiple versions with point releases.

Organizations are encouraged to mitigate the security flaws in a variety of products by Vendor provided fix.

References:

VMSA-2022-0011

VMSA-2022-0012

Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Multiple Critical Vulnerability in VMware Products