Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and Lifecycle Manager and vRealize (VMSA-2022-0011)

VMware cautions organizations to patch or mitigate several serious vulnerabilities across multiple products.

Update August 11: Updated the Proof of Concept section and Get More Information section after the release of details and PoC code from researcher at Steven Seeley, credited with the discovery of these vulnerabilities.

Update April 18: Updated the Solution section to note that the VMware advisory now indicates that CVE-2022-22960 has been exploited in the wild.

View Change Log

Background

On April 6, VMware published an advisory (VMSA-2022-0011) addressing eight vulnerabilities across a number of VMware products:

CVE Description CVSSv3
CVE-2022-22954 Server-side Template Injection Remote Code Execution Vulnerability 9.8
CVE-2022-22955 OAuth2 ACS Authentication Bypass Vulnerability 9.8
CVE-2022-22956 OAuth2 ACS Authentication Bypass Vulnerability 9.8
CVE-2022-22957 JDBC Injection Remote Code Execution Vulnerability 9.1
CVE-2022-22958 JDBC Injection Remote Code Execution Vulnerability 9.1
CVE-2022-22959 Cross SIte Request Forgery Vulnerability 8.8
CVE-2022-22960 Local Privilege Escalation Vulnerability 7.8
CVE-2022-22961 Information Disclosure Vulnerability 5.3

Affected products include:

All eight vulnerabilities were disclosed to VMware by Steven Seeley, a security researcher with Qihoo 360 Vulnerability Research Institute.

Analysis

CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw.

CVE-2022-22955 and CVE-2022-22956 are a pair of authentication bypass vulnerabilities in the OAuth 2.0 Access Control Services (ACS) framework within VMware Workspace ONE. Both of these vulnerabilities were assigned a CVSSv3 score of 9.8. An unauthenticated attacker could send specially crafted requests to vulnerable and exposed OAuth2.0 endpoints in VMware Workspace ONE in order to successfully authenticate to the Workspace ONE instance.

These three vulnerabilities are the only ones patched in this advisory that do not require authentication prior to exploitation. The remaining five do, and as such, have been assigned lower CVSSv3 scores.

Russian state-sponsored actors have targeted VMware Workspace ONE in the past

In December 2020, the National Security Agency revealed that Russian state-sponsored threat actors had exploited CVE-2020-4006, a command injection flaw in the administrative configurator component across a number of VMware products including Workspace ONE Access, Identity Manager, Cloud Foundation and vRealize Suite Lifecycle Manager.

While the vulnerabilities in VMSA-2022-0011 were addressed as part of a coordinated disclosure, attackers do routinely target legacy vulnerabilities.

Proof of concept

At the time this blog post was published, no proof-of-concept (PoC) exploits had been shared for any of the vulnerabilities. Update 4/13: There are now several PoCs for CVE-2022-22954 available on GitHub. Update 8/11: Hekate, a PoC chain of several vulnerabilities has been release following a presentation at Black Hat USA.

Solution

VMware released patches for the vulnerabilities in the following affected products:

Product/Component Affected Versions
VMware Workspace ONE Access Appliance 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0
VMware Identity Manager Appliance 3.3.3, 3.3.4, 3.3.5, 3.3.6
VMware vRealize Automation 7.6

VMware urges organizations to take immediate action

As part of an FAQ document for VMSA-2022-0011, VMware has stressed that these vulnerabilities “should be patched or mitigated immediately” and that the “ramifications” are “serious.” If patching these flaws is not feasible, VMware has also shared workaround instructions as a temporary solution, but states that patching is the only way to remove these flaws entirely

As of April 13, VMware updated its FAQ confirming that in-the-wild exploitation of CVE-2022-22954 has been detected.

As of April 18, the VMSA-2022-0011 advisory has been updated to reflect that CVE-2022-22960 has been exploited in the wild. However, at this time the change only appears in the notes section of the CVE description. VMware has not yet updated the FAQ page that accompanies this advisory.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Change Log

Update April 13:Updated the Solution and Proof of concept sections to confirm the availability of several proofs of concept for CVE-2022-22954 as well as confirmation from VMware that CVE-2022-22954 has been exploited in the wild.

Update August 11: Updated the Proof of Concept section and Get More Information section after the release of details and PoC code from researcher at Steven Seeley, credited with the discovery of these vulnerabilities.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training