CVE-2022-31656: VMware Patches Several Vulnerabilities in Multiple Products (VMSA-2022-0021)
VMware has patched another set of serious vulnerabilities across multiple products including VMware Workspace ONE Access. Organizations should patch urgently given past activity targeting vulnerabilities in VMware products.
Update August 9: the Proof of Concept section has been updated.
On August 2, VMware issued an advisory (VMSA-2022-0021) for ten vulnerabilities across several of its products.
|CVE-2022-31658||Remote code execution||8.0|
|CVE-2022-31659||Remote code execution||8.0|
|CVE-2022-31660||Local privilege escalation||7.8|
|CVE-2022-31661||Local privilege escalation||7.8|
|CVE-2022-31664||Local privilege escalation||7.8|
|CVE-2022-31665||Remote code execution||7.6|
Affected products include:
- VMware Workspace ONE Access and Access Connector (Access)
- VMware Identity Manager and Identity Manager Connector (vIDM)
- vRealize Lifecycle Manager
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
This may seem familiar, as this is the third similar release from VMware so far in 2022. The pattern started with VMSA-2022-0011 in April and continued in May with VMSA-2022-0014. Both of these releases are mentioned in the FAQ blog post released alongside VMSA-2022-0021. Early reports indicate that CVE-2022-31656 is actually a variant or patch bypass of CVE-2022-22972 which was patched in VMSA-2022-0014.
As we said in May, given the history of attacks targeting VMware Workspace ONE instances, organizations should apply these patches immediately. This urgency is compounded by the fact that a proof-of-concept is forthcoming from the researcher who discovered the flaw.
CVE-2022-31656 is an authentication bypass vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation that affects local domain users and was assigned a CVSSv3 score of 9.8. A remote attacker must have network access to a vulnerable user interface and could use this flaw to bypass authentication and gain administrative access. This vulnerability was credited to security researcher Petrus Viet of VNG Security.
It is crucial to note that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit the authenticated remote code execution flaws addressed in this release (CVE-2022-31658, CVE-2022-31659, CVE-2022-31665). The Cybersecurity and Infrastructure Security Agency published an advisory in May following the release of VMSA-2022-0014 warning of attack chains being leveraged against VMware targets.
On August 9, Petrus Viet published a detailed technical analysis of CVE-2022-31656 and CVE-2022-31659.
Organizations should patch these vulnerabilities as soon as possible. A full breakdown of vulnerable and patched versions of all products can be found on the advisory page. VMware also notes that these releases are cumulative and applying these updates will address the flaws covered in prior VMSAs like VMSA-2022-0011 and VMSA-2022-0014.
VMware has also provided workaround information for CVE-2022-31656. The workaround could affect some functionality and should be treated as a temporary step. There are no workarounds for the other vulnerabilities addressed in this release.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear.
Get more information
- VMware Security Advisory VMSA-2022-0021
- VMware FAQ for CVE-2022-31656
- Knowledgebase article for workaround
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
- Vulnerability Management
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.