Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 18/05/2022 that updates have been released for multiple products in their range to address two different vulnerabilities. The United States Cybersecurity and Infrastructure Security Agency (CISA) are advising US Civilian Government agencies to patch affected products, or disconnect those that cannot be patched by 5PM EDT on 23/05/2022.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. One of the vulnerabilities would allow an attacker with network access to the user interface of an affected product to obtain administrative access without the need to authenticate. As business services may be hosted on VMware infrastructure, this could impact Confidentiality, Integrity, or Availability for these services.

What can I do?

As patches have been released, it is important that these are applied as soon as possible, particularly as some of the vulnerabilities are now being actively exploited.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following is a break down of the different vulnerabilities with the affected VMware products.

CVE-2022-22972: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Affected VMware products:

·         VMware Workspace One Access

·         Identity Manager

·         vRealize Automation

CVE-2022-22973: Important severity range with maximum CVSSv3 base core of 7,8, malicious actor with local access to the system can escalate privileges to ‘root’.

·         VMware Workspace ONE Access and Identity Manager

The following VMware products deploy the above affected components.

• VMware Cloud Foundation

• vRealize Suite Lifecycle Manager

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0014 (vmware.com), VMSA-2022-0014: Questions & Answers | VMware

Need help understanding your gaps, or just want some advice? Get in touch with us.

Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 06/04/2022 that updates have been released for multiple products in their range to address different vulnerabilities. Some of these vulnerabilities have been marked as “critical”, including Spring4Shell due to the ability for a malicious actor to remotely execute code.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. There are a range of different critical and medium vulnerabilities being patched with these updates, including Spring4Shell, which CISA are now stating is being actively exploited.

What can I do?

As patches have been released, it is important that these are applied as soon as possible, particularly as some of the vulnerabilities are now being actively exploited.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following VMware products have been listed as being affected by the following CVEs:

• VMware Workspace ONE Access (Access) | CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

• VMware Identity Manager (vIDM) | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

• VMware vRealize Automation (vRA) | CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

The following VMware products deploy the above affected components:

• VMware Cloud Foundation

• vRealize Suite Lifecycle Manager

CVE-2022-22954: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access can trigger server-side template injection that could result in remote code execution.

CVE-2022-22955 & CVE-2022-22956: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor may bypass authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

CVE-2022-22957 & CVE-2022-22958: Critical severity range with maximum CVSSv3 base score of 9.1, malicious actor with administrator access can trigger deserialization of untrusted data through malicious Java Database Connectivity (JDBC) Uniform Resource Identifier (UDI), which can result in remote code execution.

CVE-2022-22959, CVE-2022-22960 & CVE-2022-22961: These vulnerabilities range from Important with maximum CVSSv3 base score of 8.8 to moderate with maximum CVSSv3 base score of 5.3.

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0011 (vmware.com), HW-154129 - Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098)

Need help understanding your gaps, or just want some advice? Get in touch with us.