VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
{"checkpoint_advisories": [{"lastseen": "2022-10-13T22:36:08", "description": "An authentication bypass vulnerability exists in VMWare Workspace One Access. Successful exploitation of this vulnerability would allow a remote attacker to obtain sensitive information and gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-30T00:00:00", "type": "checkpoint_advisories", "title": "VMWare Workspace One Access Authentication Bypass (CVE-2022-31656)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656"], "modified": "2022-08-30T00:00:00", "id": "CPAI-2022-0516", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "impervablog": [{"lastseen": "2022-08-11T20:01:31", "description": "### Takeaways:\n\n * VMWare Workspace ONE vulnerabilities CVE-2022-31656 and CVE-2022-31659 work in tandem to allow a remote attacker with network access to conduct remote code execution on the server.\n * Imperva Threat Research has seen a sharp rise in attacks since a POC was published on August 9, mostly targeting US and Singapore-based sites.\n * Imperva\u2019s defenses have caught thousands of attacks using automated tools developed in the Go programming language, and 30% of attacking IPs have a risk score of 70% or higher.\n * Imperva has deployed dedicated security rules to cover both CVEs.\n\nOn August 9, 2022, a proof-of-concept was released for VMWare\u2019s earlier security advisories CVE-2022-31656 and CVE-2022-31659, published on August 2, 2022. Both of these vulnerabilities affect VMWare Workspace ONE, and build on each other to ultimately allow for remote code execution. \n\nFor context, CVE-2022-31656 allows users with network access to obtain administrative access without authentication, and CVE-2022-31659 allows remote code execution once the malicious user obtains administrator privileges. VMWare has released [patches](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) for both CVEs, and it is recommended that all VMWare Workspace ONE clients apply these patches immediately to mitigate potential exploitation.\n\nImperva began witnessing attack attempts trying to exploit CVE-2022-31656 immediately after the POC was published on August 9, and we\u2019re continuing to see these numbers steadily rise. Most attacks are targeting customers in the US and Singapore across the educational and financial industries, although _all_ VMWare Workspace ONE customers should take action to prevent intrusions. \n\nSo far, Imperva has found several thousand attack attempts, and 30% of the attacking IPs have a risk score of 70% or above. The vast majority of attackers are using automated tools developed in the Go programming language. \n\nSince Imperva\u2019s CWAF has multiple layers of security defense, attack attempts trying to exploit CVE-2022-31656 were initially detected by existing security rules, threat reputation, and bot protection policies. We\u2019ve deployed complete coverage for both vulnerabilities, so all CWAF customers and On-Premises WAF customers with SecureSphere Emergency Feed are protected from CVE-2022-31656 and CVE-2022\u201331659. \n\nThe post [What we know about VMWare CVE-2022\u201331656 and CVE-2022\u201331659](<https://www.imperva.com/blog/what-we-know-about-vmware-cve-2022-31656-and-cve-2022-31659/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-10T16:55:48", "type": "impervablog", "title": "What we know about VMWare CVE-2022\u201331656 and CVE-2022\u201331659", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31659"], "modified": "2022-08-10T16:55:48", "id": "IMPERVABLOG:EFE468EB28E318764FFAA6B250FFFE78", "href": "https://www.imperva.com/blog/what-we-know-about-vmware-cve-2022-31656-and-cve-2022-31659/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisa": [{"lastseen": "2022-08-12T14:02:35", "description": "VMware has released security updates to address multiple vulnerabilities in VMware\u2019s Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. \n\n**Updated August 8, 2022:**_ _According to VMware, \"VMware has confirmed malicious code that can exploit CVE-2022-31656 and CVE-2022-31659 in impacted products is publicly available.\"\n\nCISA encourages users and administrators to review VMware Security Advisory [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) and apply the necessary updates. \n\n \n\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/08/03/vmware-releases-security-updates>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T00:00:00", "type": "cisa", "title": "VMware Releases Security Updates ", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31659"], "modified": "2022-08-09T00:00:00", "id": "CISA:78745C11D5F7CDA41C77C0A98F92D5D5", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/08/03/vmware-releases-security-updates", "cvss": {"score": 0.0, "vector": "NONE"}}], "hivepro": [{"lastseen": "2022-08-11T20:07:12", "description": "Threat Level Vulnerability Report For a detailed advisory, download the pdf file here Summary VMware has addressed multiple vulnerabilities, including an authentication bypass (CVE-2022-31656), remote code execution (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665), and many more flaws.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-04T11:47:45", "type": "hivepro", "title": "VMware products impacted by an authentication bypass vulnerability and other flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31665"], "modified": "2022-08-04T11:47:45", "id": "HIVEPRO:242E0A299034344004E19D94AEDF04D7", "href": "https://www.hivepro.com/vmware-products-impacted-by-an-authentication-bypass-vulnerability-and-other-flaws/", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2022-08-11T20:55:05", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://www.malwarebytes.com/blog/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to 'root' on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10--[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to 'root'.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA.\n\nStay safe, everyone!", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T13:00:00", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:00:00", "id": "MALWAREBYTES:9E428F767EFCD8CC64A0BC77175C8151", "href": "https://www.malwarebytes.com/blog/news/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-03T15:33:33", "description": "In a new critical security advisory, [VMSA-2022-0021](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), VMWare describes multiple vulnerabilities in several of its products, one of which has a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) score of 9.8. Exploiting these vulnerabilities would enable a threat actor with network access to bypass authentication and execute code remotely.\n\n## Vulnerabilities\n\nVMWare patched several other vulnerabilities. These bugs would enable attackers to gain remote code execution or to escalate privileges to 'root' on unpatched servers.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). You will find the most important ones listed below.\n\n### CVE-2022-31656\n\n[CVE-2022-31656](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31656>) is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation that affects local domain users and was assigned a CVSS score of 9.8 out of 10. A remote attacker with network access to a vulnerable user interface could use this flaw to bypass authentication and gain administrative access. (VMWare credits security researcher [Petrus Viet](<https://twitter.com/VietPetrus/status/1554485970514608128>) with discovering this vulnerability.)\n\n### CVE-2022-31659 and CVE-2022-31658\n\nThe same researcher found two Remote Code Execution (RCE) vulnerabilities with a CVSS score of 8 out of 10\u2014[CVE-2022-31658](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31658>) and [CVE-2022-31659](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31659>). CVE-2022-31658 is a JDBC injection RCE, and CVE-2022-31659 us a SQL injection RCE. Both can be chained with CVE-2022-31656, turning the authentication bypass achieved into something that allows an attacker to perform remote code execution. These vulnerabilities also affect VMware Workspace ONE Access, Identity Manager, and vRealize Automation products.\n\n### CVE-2022-31665\n\n[CVE-2022-31665](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31665>) is a JDBC injection RCE vulnerability that exists in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. JDBC (Java Database Connectivity) is an application programming interface (API) for Java, which defines how a client may access a database. A malicious actor with administrator and network access can trigger a remote code execution.\n\n## Other privilege escalation vulnerabilities\n\nBesides the already mentioned vulnerability listed as CVE-2022-31656 VMWare fixed [CVE-2022-31660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31660>), [CVE-2022-31661](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31661>), and [CVE-2022-31664](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31664>) which are all local privilege escalation vulnerabilities. These vulnerabilities would allow a threat actor with local access to escalate privileges to 'root'.\n\n## Mitigation\n\nEven though there is no evidence that the critical CVE-2022-31656 authentication bypass vulnerability is actively being exploited in attacks, VMWare states that it is extremely important that you quickly take steps to patch or mitigate all the issues in on-premises deployments.\n\nTo fully protect yourself and your organization, please install one of the patch versions listed in the [VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>), or use the workarounds listed in the VMSA. \n\nStay safe, everyone!\n\nThe post [Update now! VMWare patches critical vulnerabilities in several products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-08-03T13:27:47", "type": "malwarebytes", "title": "Update now! VMWare patches critical vulnerabilities in several products", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T13:27:47", "id": "MALWAREBYTES:4AD7D9B99AE2ADD1CBB83E0522B03A21", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/08/update-now-vmware-patches-critical-vulnerabilities-in-several-products/", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2022-08-11T18:59:39", "description": "VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws.\n\nThe bug\u2014tracked as [CVE-2022-31656](<https://tenable.com/cve/CVE-2022-31656>)\u2014earned a rating of 9.8 on the CVSS and is one of a number of fixes the company made in various products [in an update](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) released on Tuesday for flaws that could easily become an exploit chain, researchers said.\n\nCVE-2022-31656 also certainly the most dangerous of these vulnerabilities, and likely will become more so as the researcher who discovered it\u2013[Petrus Viet](<https://twitter.com/VietPetrus>) of VNG Security\u2013has promised [in a tweet](<https://twitter.com/VietPetrus/status/1554485970514608128>) that a proof-of-concept exploit for the bug is \u201csoon to follow,\u201d experts said.\n\nThis adds urgency to the need for organizations affected by the flaw to patch now, researchers said.\n\n\u201cGiven the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority,\u201d [Claire Tills](<https://www.tenable.com/profile/claire-tills>), senior research engineer with Tenable\u2019s Security Response Team, said in an email to Threatpost. \u201cAs an authentication bypass, exploitation of this flaw opens up the possibility that attackers could create very troubling exploit chains.\u201d\n\n## **Potential for Attack Chain**\n\nSpecifically, CVE-2022-31656 is an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation.\n\nThe bug affects local domain users and requires that a remote attacker must have network access to a vulnerable user interface, according to [a blog post](<https://www.tenable.com/blog/cve-2022-31656-vmware-patches-several-vulnerabilities-in-multiple-products-vmsa-2022-0021>) by Tills published Tuesday. Once an attacker achieves this, he or she can use the flaw to bypass authentication and gain administrative access, she said.\n\nMoreover, the vulnerability is the gateway to exploiting other remote code execution (RCE) flaws addressed by VMWare\u2019s release this week\u2014[CVE-2022-31658](<https://www.tenable.com/cve/CVE-2022-31658>) and [CVE-2022-31659](<https://www.tenable.com/cve/CVE-2022-31659>)\u2014to form an attack chain, Tills observed.\n\nCVE-2022-31658 is a JDBC injection RCE vulnerability that affect VMware Workspace ONE Access, Identity Manager and vRealize Automation that\u2019s earned an \u201cimportant\u201d score on the CVSS\u20148.0. The flaw allows a malicious actor with administrator and network access to trigger RCE.\n\nCVE-2022-31659 is an SQL injection RCE vulnerability that affects VMware Workspace ONE Access and Identity Manager and also earned a rating of 8.0 with a similar attack vector to CVE-2022-31658. Viet is credited with discovering both of these flaws.\n\nThe other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate.\n\n## **Patch Early, Patch Everything**\n\nVMware is no stranger to having to rush out patches for critical bugs found in its products, and has suffered its share of security woes due to the ubiquity of its platform across enterprise networks.\n\nIn late June, for example, federal agencies warned of [attackers pummeling](<https://threatpost.com/log4shell-targeted-vmware-data/180072/>) VMware Horizon and Unified Access Gateway (UAG) servers to exploit the now-infamous [Log4Shell](<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>) RCE vulnerability, an [easy-to-exploit flaw](<https://threatpost.com/apache-log4j-log4shell-mutations/176962/>) discovered in the Apache logging library Log4J late last year and [continuously targeted](<https://threatpost.com/vmware-bugs-abused-mirai-log4shell/179652/>) on VMware and other platforms since then.\n\nIndeed, sometimes even patching has still not been enough for VMware, with attackers targeting existing flaws after the company does its due diligence to release a fix.\n\nThis scenario occurred in December 2020, when [the feds warned](<https://threatpost.com/nsa-vmware-bug-under-attack/161985/>) the adversaries were actively exploiting a weeks-old bug in Workspace One Access and Identity Manager products three days after the vendor patched the vulnerability.\n\nThough all signs point to the urgency of patching the latest threat to VMware\u2019s platform, it\u2019s highly likely that even if the advice is heeded, the danger will persist for the foreseeable future, observed one security professional.\n\nThough enterprises tend to initially move quickly to patch the most imminent threats to their network, they often miss other places attackers can exploit a flaw, observed Greg Fitzgerald, co-founder of Sevco Security, in an email to Threatpost. This is what leads to persistent and ongoing attacks, he said.\n\n\u201cThe most significant risk for enterprises isn\u2019t the speed at which they are applying critical patches; it comes from not applying the patches on every asset,\u201d Fitzgerald said. \u201cThe simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets are accounted for.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-03T15:23:16", "type": "threatpost", "title": "VMWare Urges Users to Patch Critical Authentication Bypass Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T15:23:16", "id": "THREATPOST:556939F8D58337486DFBC3B2A820DE47", "href": "https://threatpost.com/vmware-patch-critical-bug/180346/", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2022-08-03T09:59:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhTOrIOL2CttCsOisd2VA2-gW84X4_vjRN0VeeVboCjatIhEmWgIzGhZkYZXyQiW0ewz7zHcj_3EwSdqRnAEPwbveJ6sP9b5SJiFO0gUhzcDnZ9z_5ucDfKC7Z8zpknqBWNLKePyknCnTPVaEsOxab4oLFhAcLQshylLe2hoOkVC6gAmgTmPpUk5AgR/s728-e100/vmware.jpg>)\n\nVirtualization services provider VMware on Tuesday shipped updates to [address 10 security flaws](<https://www.vmware.com/security/advisories/VMSA-2022-0021.html>) affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions.\n\nThe issues, tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8), impact VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager.\n\nThe most severe of the flaws is CVE-2022-31656 (CVSS score: 9.8), an authentication bypass vulnerability affecting local domain users that could be leveraged by a bad actor with network access to obtain administrative rights.\n\nAlso resolved by VMware are three remote code execution vulnerabilities (CVE-2022-31658, CVE-2022-31659, and CVE-2022-31665) related to JDBC and SQL injection that could be weaponized by an adversary with administrator and network access.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgI_LeUTMPRZAt45PycKydjnK35qzJ1vbQrYZzduBTK3pwXBSzoILVNO-NRrPV10q1CViYba9n3BFSkwCE3OiyPlBjFFKGfCsIsJrAb51zEv4pjpbI2p48W8c3Mtjx69-XrpwGlGorezClU2y2S8TfiA-6eMBO24eui8doqA0Tk1PmsxjAItUOG82gX/s728-e100/flaws.jpg>)\n\nElsewhere, it has also remediated a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31663) that it said is a result of improper user sanitization, which could lead to the activation of malicious JavaScript code.\n\nRounding off the patches are three local privilege escalation bugs (CVE-2022-31660, CVE-2022-31661, and CVE-2022-31664) that permit an actor with local access to escalate privileges to \"root,\" a URL injection vulnerability (CVE-2022-31657), and a path traversal bug (CVE-2022-31662).\n\nWhile successful exploitation of CVE-2022-31657 makes it possible to redirect an authenticated user to an arbitrary domain, CVE-2022-31662 could equip an attacker to read files in an unauthorized manner.\n\nVMware said it's not aware of the exploitation of these vulnerabilities in the wild, but urged customers using the vulnerable products to [apply the patches immediately](<https://core.vmware.com/vmsa-2022-0021-questions-answers-faq>) to mitigate potential threats.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-08-03T04:49:00", "type": "thn", "title": "VMware Releases Patches for Several New Flaws Affecting Multiple Products", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-03T08:25:40", "id": "THN:97305EC3B8A0058F1A01ECB0B12FBD3E", "href": "https://thehackernews.com/2022/08/vmware-releases-patches-for-several-new.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "vmware": [{"lastseen": "2022-11-02T03:01:01", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-09T00:00:00", "id": "VMSA-2022-0021.1", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.1.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-08-12T17:12:24", "description": "3a. Authentication Bypass Vulnerability (CVE-2022-31656) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3c. SQL injection Remote Code Execution Vulnerability (CVE-2022-31659) \n\nVMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.0. \n\n3d. Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3e. Local Privilege Escalation Vulnerability (CVE-2022-31664) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8. \n\n3f. JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.6. \n\n3g. URL Injection Vulnerability (CVE-2022-31657) \n\nVMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9. \n\n3h. Path traversal vulnerability (CVE-2022-31662) \n\nVMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. \n\n3i. Cross-site scripting (XSS) vulnerability (CVE-2022-31663) \n\nVMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. VMware has evaluated the severity of this issues to be in the Moderate severity range with a maximum CVSSv3 base score of 4.7.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-02T00:00:00", "type": "vmware", "title": "VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector and vRealize Automation updates address multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-08-02T00:00:00", "id": "VMSA-2022-0021", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2023-01-27T15:05:22", "description": "The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-09T00:00:00", "type": "nessus", "title": "VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-31656", "CVE-2022-31657", "CVE-2022-31658", "CVE-2022-31659", "CVE-2022-31660", "CVE-2022-31661", "CVE-2022-31662", "CVE-2022-31663", "CVE-2022-31664", "CVE-2022-31665"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:vmware:identity_manager", "cpe:/a:vmware:workspace_one_access"], "id": "VMWARE_WORKSPACE_ONE_ACCESS_VMSA-2022-0021.NASL", "href": "https://www.tenable.com/plugins/nessus/163939", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(163939);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2022-31656\",\n \"CVE-2022-31657\",\n \"CVE-2022-31658\",\n \"CVE-2022-31659\",\n \"CVE-2022-31660\",\n \"CVE-2022-31661\",\n \"CVE-2022-31662\",\n \"CVE-2022-31663\",\n \"CVE-2022-31664\",\n \"CVE-2022-31665\"\n );\n script_xref(name:\"VMSA\", value:\"2022-0021\");\n script_xref(name:\"IAVA\", value:\"2022-A-0303\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0027\");\n\n script_name(english:\"VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An identity store broker application running on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected\nby the following vulnerabilities:\n\n - An authentication bypass vulnerability affecting local domain users. A malicious actor with network access\n to the UI may be able to obtain administrative access without the need to authenticate. (CVE-2022-31656)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31658)\n\n - A remote code execution vulnerability. A malicious actor with administrator and network access can trigger\n a remote code execution. (CVE-2022-31659)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0021.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://core.vmware.com/vmsa-2022-0021-questions-answers-faq\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.vmware.com/s/article/89096\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the HW-160130 hotfix to VMware Workspace One Access / VMware Identity Manager as per the VMSA-2022-0021 advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-31656\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware Workspace ONE Access CVE-2022-31660');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/08/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:identity_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workspace_one_access\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workspace_one_access_web_detect.nbin\", \"vmware_workspace_one_access_installed.nbin\");\n script_require_keys(\"installed_sw/VMware Workspace ONE Access\");\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app = 'VMware Workspace ONE Access';\n\nvar app_info = vcf::vmware_workspace_one_access::get_app_info(combined:TRUE);\n\n# 3.3.[3456] don't have fixed builds, so audit out unless we are doing a paranoid scan\n# Remote detection does not pull hotfixes. Require paranoia\nif ((app_info.webapp || app_info.version =~ \"3\\.3\\.[3456]\\.\") && report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, app, app_info.version);\n\nvar patch = '160130';\n\nvar constraints = [\n { 'min_version':'3.3.4.0.0', 'fixed_version':'3.3.7.0.0', 'fixed_display':'Refer to vendor advisory and apply patch HW-160130.' },\n\n { 'min_version':'19.03.0.1', 'max_version':'19.03.0.1.99999999', 'fixed_display':'19.03.0.1 with HW-160130' },\n \n { 'min_version':'21.08.0.0.0', 'max_version':'21.08.0.0.99999999', 'fixed_display':'21.08.0.0 with HW-160130' },\n { 'min_version':'21.08.0.1', 'max_version':'21.08.0.1.99999999', 'fixed_display':'21.08.0.1 with HW-160130' }\n];\n\nvcf::vmware_workspace_one_access::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, expected_patch:patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
CVE-2022-31656
