VMware vRealize Automation 7
Hot on the heels of the recent April 2022 VMware critical security advisory VMSA-2022-0011, which addressed eight CVEs within VMware Workspace ONE Access and VMware Identity Manager, VMware has released a new creitical security advisory VMSA-2022-0014. This advisory addresses two new security vulnerabilities (CVE-2022-22972 and CVE-2022-22973) in VMware Workspace ONE Access and VMware Identity Manager, with one rated as critical. Authentication Bypass Vulnerability - CVE-2022-22972 According to VMware, a malicious user with network access to the VMware Workspace ONE Access or VMware Identity Manager user interfaces may be able to obtain administrative access without needing to authenticate.
On April 21, 2022, VMware released the April 2022 Cumulative Security update for vRealize Automation 7.6 and vRealize Orchestrator 7.6. This update includes patches for various platform components that may be flagged by vulnerability scanners while scanning the virtual appliances. Since this update is cumulative, all previously updated components are included in this release. What’s Included While VMware does not provide detailed release notes for these cumulative security updates, based on the contents of the update script, the following RPM packages will be deployed during the update process:
Unless you’ve been living under a rock the past couple days, you’ve likely been seeing many articles regarding CVE-2021-44228 which describes a remote code execution vulnerability within Apache Log4j. Apache Log4j is a Java-based logging utility used by many applications across the world, and as such, this vulnerability is a huge issue due to how easy it is to exploit as well as the sheer number of vulnerable devices. Like most companies with Java based applications, many of VMware’s products utilize Log4j to provide application logging capabilities.
It seems like it wasn’t too long ago that I posted that Patch 3 had been released for vRealize Automation 7.6 (technically it was March 2, 2020). Since then, VMware has been quite busy resolving various issues within vRealize Automation 7.6 and have released 11 additional patches as well as 2 cumulative security updates. Patch 14 for vRealize Automation 7.6 was released by VMware on September 22, 2020, and only contains 1 fix related to “Email notifications fail to work properly over time requiring service restarts”.
While vRealize Automation 8.0 may be the hot new cloud management platform from VMware, vRealize Automation 7.6 still enjoys widespread usage due to its long life and rich feature set. As such, VMware continues to provide bug fixes for vRealize Automation 7.6. Continuing this trend, VMware recently released Hotfix 3 for vRealize Automation 7.6 on February 25, 2020. This cumulative update brings us fixes for 14 separate issues relating to performance, UI, vRealize Operations integration, and adds support for Red Hat Enterprise Linux 8.