Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 02/08/2022 that updates have been released for multiple products in their range to address multiple different vulnerabilities, recommending that these are patched immediately, due to one of the vulnerabilities allowing a malicious user who already has network access to gain administrator access on the affected VMware system.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. Business services may be hosted on VMware infrastructure, which if exploited could impact Confidentiality, Integrity, or Availability for these services.

What can I do?

As patches have been released, it is important that these are applied as soon as possible.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following is a break down of the different vulnerabilities with the affected VMware products.

CVE-2022-31656: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. Affected VMware products:

·         VMware Workspace One Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31658: Important severity range with maximum CVSSv3 base core of 8.0, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31659: Important severity range with maximum CVSSv3 base core of 8.0, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

CVE-2022-31660, CVE-2022-31661, CVE-2022-31664: Important severity range with maximum CVSSv3 base core of 7.8, malicious actor with local access to the system can escalate privileges to ‘root’. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31665: Important severity range with maximum CVSSv3 base core of 7.6, malicious actor with administrator and network access can trigger a remote code execution. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

CVE-2022-31657: Moderate severity range with maximum CVSSv3 base core of 5.9, malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

CVE-2022-31662: Moderate severity range with maximum CVSSv3 base core of 5.3, malicious actor with network access may be able to access arbitrary files. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         Connectors

·         vRealize Automation

CVE-2022-31663: Moderate severity range with maximum CVSSv3 base core of 4.7. Due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user's window.. Affected VMware products:

·         VMware Workspace ONE Access

·         Identity Manager

·         vRealize Automation

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0021 (vmware.com), VMSA-2022-0021: Questions & Answers | VMware

Need help understanding your gaps, or just want some advice? Get in touch with us.