Issued: Sunday, 22 May, 2022 |
Last Revision: Sunday, 22 May, 2022 |
Vendor: |
Product: |
Severity Level: |
VMware has released security update for- VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager to address the critical vulnerabilities.
These vulnerabilities are highly susceptible for exploitation.
For these various products, a remote attacker with access to the corresponding user interface might get administrator access without authentication if manage to exploit vulnerability CVE-2022-22972.
A malicious actor with local access can gain “root” privileges after successful exploitation of the vulnerability CVE-2022-22973.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2022-22972 | Authentication Bypass Vulnerability | 9.8 |
CVE-2022-22973 | Local Privilege Escalation Vulnerability | 7.8 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) | Affected Versions | Fixed Versions |
CVE-2022-22972 | VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 | https://kb.vmware.com/s/article/88438 |
Identity Manager | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | https://kb.vmware.com/s/article/88438 | |
vRealize Automation (vIDM) [2] | 7.6 | https://kb.vmware.com/s/article/88438 | |
VMware Cloud Foundation | 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x | https://kb.vmware.com/s/article/88438 | |
vRealize Suite Lifecycle Manager (vIDM) | 8.x | https://kb.vmware.com/s/article/88438 | |
CVE-2022-22973 | VMware Workspace ONE Access | 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0 | https://kb.vmware.com/s/article/88438 |
Identity Manager | 3.3.6, 3.3.5, 3.3.4, 3.3.3 | https://kb.vmware.com/s/article/88438 | |
VMware Cloud Foundation | 4.3.x, 4.2.x, 4.1, 4.0.x | https://kb.vmware.com/s/article/88438 | |
vRealize Suite Lifecycle Manager (vIDM) | 8.x | https://kb.vmware.com/s/article/88438 |
Table 2: Vulnerable versions
Updates are available for all the products in the “Affected Products” table, covering multiple versions with point releases.
Organizations are encouraged to mitigate the security flaws in a variety of products by Vendor provided fix.