VMware recently released another set of patches addressing a number of vulnerabilities in several products.
The vulnerabilities (CVE-2022-31656, CVE-2022-31657, CVE-2022-31658, CVE-2022-31659, CVE-2022-31660, CVE-2022-31661, CVE-2022-31662, CVE-2022-31663, CVE-2022-31664, CVE-2022-31665) were reported privately. The severity scores of the flaws vary from 4.7 to 9.8 according to the CVSS system.
The list of affected products includes the following:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
CVE-2022-31656: An Authentication Bypass Vulnerability
The most dangerous of the vulnerabilities, rated 9.8, is CVE-2022-31656, or an authentication bypass issue that impacts local domain users. The latter could be exploited by a threat actor with network access to obtain administrative rights. The vulnerability doesn’t require the need to authenticate. According to the company’s advisory, VMware Workspace ONE Access, Identity Manager and vRealize Automation are affected by this flaw.
The next on the list of fixed issues in terms of severity is CVE-2022-31658, a remote code execution vulnerability rated 8.0. The issue affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. The flaw can be exploited by a threat actor with administrator and network access to trigger a remote code execution condition.
Another remote code execution vulnerability with a CVSS score of 8.0 is CVE-2022-31659 in VMware Workspace ONE Access and Identity Manager.
The list also includes three local privilege escalation bugs known as CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664; a URL injection vulnerability identified as CVE-2022-31657, and a path traversal bug assigned the CVE-2022-31662 identifier.
All affected customers should apply the available patches immediately.
Last month, VMware patched CVE-2021-22048, a high-severity privilege escalation vulnerability in the VMware vCenter Server IWA mechanism, which also affects the Cloud Foundation hybrid platform. Eight months after the vulnerability was disclosed, the company released a patch for one of the affected versions.