VMware

Critical Vulnerability in Workspace ONE Access and Identity Manager

VMware Releases Critical Security Advisory VMSA-2022-0014

On the heels of the recent April 2022 VMware critical security advisory VMSA-2022-0011, which addressed eight CVEs within VMware Workspace ONE Access and VMware Identity Manager, VMware has released a new critical security advisory VMSA-2022-0014. This advisory addresses two new security vulnerabilities (CVE-2022-22972 and CVE-2022-22973) in VMware Workspace ONE Access and VMware Identity Manager, with one rated as critical.

The Critical Vulnerability

According to VMware, a malicious user with network access to the VMware Workspace ONE Access or VMware Identity Manager user interfaces may be able to obtain administrative access without needing to authenticate. This vulnerability is rated as critical and has a maximum CVSSv3 base score of 9.8. Since this vulnerability may allow administrative access to users with only network access to the products, VMware states that “this critical vulnerability should be patched or mitigated immediately.”

The Important Vulnerability

Additionally, a malicious user with local access to VMware Workspace ONE Access or VMware Identity Manager can escalate privileges to ‘root’. This vulnerability is rated as important and has a maximum CVSSv3 base score of 7.8.

Affected Products and Suites

The following product versions are affected by this vulnerability:

* VMware Workspace ONE Access: 19.0.2, 19.1.0, 19.1.1, 19.1.2, 19.2.0, 19.2.1, and 19.3.0

* VMware Identity Manager: 3.6.5, 3.7.0, 3.7.1, 3.8.0, 3.8.1, 3.9.0, and 3.9.1

The following product suites are also affected as they include instances of VMware Identity Manager or VMware vRealize Automation:

* VMware vRealize Automation: 7.6

* VMware vRealize Suite: 7.6, 8.0, and 8.1

* VMware vRealize Cloud Foundation: 3.x, 4.x, and 5.x

Patches and Workarounds

VMware has released patches and workarounds to address both vulnerabilities. The recommendation is to apply the patches to all vulnerable systems as soon as possible. VMware KB88438 provides instructions on obtaining and deploying the patches related to this advisory for VMware Workspace ONE Access and VMware Identity Manager.

To resolve the vulnerability in VMware vRealize Automation 7.6, deploy the latest cumulative update, Patch 28. VMware KB70911 provides instructions on obtaining and deploying the latest cumulative update.

While workarounds are available, VMware states that “the only way to remove the vulnerabilities from your environment is to apply the patches provided in VMSA-2021-0014.” Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not.

The workarounds for each product are documented in the VMware KB88433.