VMSA-2022-0014: Workspace ONE Access and Identity Manager Critical Vulnerability

May 18, 2022

Reading time: 3 minutes

Hot on the heels of the recent April 2022 VMware critical security advisory VMSA-2022-0011, which addressed eight CVEs within VMware Workspace ONE Access and VMware Identity Manager, VMware has released a new creitical security advisory VMSA-2022-0014. This advisory addresses two new security vulnerabilities (CVE-2022-22972 and CVE-2022-22973) in VMware Workspace ONE Access and VMware Identity Manager, with one rated as critical.

Authentication Bypass Vulnerability - CVE-2022-22972

According to VMware, a malicious user with network access to the VMware Workspace ONE Access or VMware Identity Manager user interfaces may be able to obtain administrative access without needing to authenticate. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Since this vulnerability may allow administrative access to users with only network access to the products, VMware states that “this critical vulnerability should be patched or mitigated immediately.”

VMware has listed the following product versions as affected by this vulnerability:

VMware Workspace ONE Access 20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0
VMware Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3
VMware vRealize Automation 7.6

Additionally, VMware lists that the following product suites are affected as they include instances of VMware Identity Manager or VMware vRealize Automation:

VMware Cloud Foundation 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x
vRealize Suite Lifecycle Manager 8.x

Local Privilege Escalation Vulnerability - CVE-2022-22973

According to VMware, a malicious user with local access to VMware Workspace ONE Access or VMware Identity Manager can escalate privileges to ‘root’. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

VMware has listed the following product versions as affected by this vulnerability:

VMware Workspace ONE Access 20.10.0.1, 20.10.0.0, 21.08.0.1, 21.08.0.0
VMware Identity Manager 3.3.6, 3.3.5, 3.3.4, 3.3.3

Additionally, VMware lists that the following product suites are affected as they include instances of VMware Identity Manager:

VMware Cloud Foundation 4.3.x, 4.2.x, 4.1, 4.0.x, 3.x
vRealize Suite Lifecycle Manager 8.x

Patches and Workarounds

VMware has released patches and workarounds to address both vulnerabilities. The recommendation is to apply the patches to all vulnerable systems as soon as possible.

Patches

VMware KB88438 provides instructions on obtaining and deploying the patches related to this advisory for VMware Workspace ONE Access and VMware Identity Manager.

Resolving the vulnerability in VMware vRealize Automation 7.6 requires deploying the latest cumulative update, Patch 28. VMware KB70911 provides instructions on obtaining and deploying the latest cumulative update.

Workarounds

While workarounds are available, VMware states:

“The only way to remove the vulnerabilities from your environment is to apply the patches provided in VMSA-2021-0014. Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not.

While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this type of issue.”

The workarounds for each product are documented in the VMware KB88433.