{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-025.pdf"
    },
    "title": "UPDATE: Critical Vulnerabilities in VMware",
    "serial_number": "2022-025",
    "publish_date": "07-04-2022 11:45:00",
    "description": "On April 6th, VMware released several security patches for critical-severity flaws affecting multiple products. The vulnerabilities identified as \"CVE-2022-22954\", \"CVE-2022-22955\", \"CVE-2022-22956\", \"CVE-2022-22957\", and \"CVE-2022-22958\" can lead to multiple effects such as remote code execution and authentication bypass.<br>VMware also patched high and medium severity bugs that could be exploited for Cross-Site Request Forgery (CSRF) attacks (\"CVE-2022-22959\"), privilege escalation (\"CVE-2022-22960\"), and gain access to information without authorisation (\"CVE-2022-22961\").<br>On May 20th, Unit 42 has observed numerous instances of \"CVE-2022-22954\" being exploited in the wild. When successful, \"CVE-2022-22960\" can be leveraged to run commands as a root user. It is strongly recommended to patch as soon as possible.",
    "url_title": "2022-025",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in VMware'\nversion: '1.1'\nnumber: '2022-025'\ndate: 'May 24, 2022'\n---\n\n_History:_\n\n* _07/04/2022 --- v1.0 -- Initial publication_\n* _24/05/2022 --- v1.1 -- Updated with information about active exploitation_\n\n# Summary\n\nOn April 6th, VMware released several security patches for critical-severity flaws affecting multiple products. The vulnerabilities identified as `CVE-2022-22954`, `CVE-2022-22955`, `CVE-2022-22956`, `CVE-2022-22957`, and `CVE-2022-22958` can lead to multiple effects such as remote code execution and authentication bypass.\n\nVMware also patched high and medium severity bugs that could be exploited for Cross-Site Request Forgery (CSRF) attacks (`CVE-2022-22959`), privilege escalation (`CVE-2022-22960`), and gain access to information without authorisation (`CVE-2022-22961`) [1].\n\nOn May 20th, Unit 42 has observed numerous instances of `CVE-2022-22954` being exploited in the wild [4]. When successful, `CVE-2022-22960` can be leveraged to run commands as a root user. It is strongly recommended to patch as soon as possible [2].\n\n# Technical Details\n\nHere are the technical details of the vulnerabilities :\n\n- `CVE-2022-22954` - CVSS score: 9.8 - VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection.\n\n- `CVE-2022-22955` and `CVE-2022-22956` - CVSS score: 9.8 - VMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 ACS framework.\n\n- `CVE-2022-22957` and `CVE-2022-22958` - CVSS score: 9.1 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities. \n\n- `CVE-2022-22959` - CVSS score: 8.8 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability.\n\n- `CVE-2022-22960` - CVSS score: 7.8 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. \n\n- `CVE-2022-22961` - CVSS score: 5.3 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information.\n\n# Affected Products\n\n- VMware Workspace ONE Access (Access)\n- VMware Identity Manager (vIDM)\n- VMware vRealize Automation (vRA)\n- VMware Cloud Foundation\n- vRealize Suite Lifecycle Manager\n\n# Recommendations and Workarounds\n\nCERT-EU recommends to apply the patches or the workarounds provided by VMware [2]. While applying workarounds is possible, VMware strongly recommends patching as the simplest and most reliable way to resolve this issue.\n\nVMware has also published a document with additional questions and answers regarding VMSA-2021-0011 [3].\n\nSince vulnerabilities `CVE-2022-22954` and `CVE-2022-22960` are exploited in the wild [4], it is highly recommended to apply the patches as soon as possible.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-vulnerabilities-in-multiple-products/>\n\n[2] <https://www.vmware.com/security/advisories/VMSA-2022-0011.html>\n\n[3] <https://core.vmware.com/vmsa-2022-0011-questions-answers-faq>\n\n[4] <https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>07/04/2022 --- v1.0 -- Initial publication</em></li><li><em>24/05/2022 --- v1.1 -- Updated with information about active exploitation</em></li></ul><h2 id=\"summary\">Summary</h2><p>On April 6th, VMware released several security patches for critical-severity flaws affecting multiple products. The vulnerabilities identified as <code>CVE-2022-22954</code>, <code>CVE-2022-22955</code>, <code>CVE-2022-22956</code>, <code>CVE-2022-22957</code>, and <code>CVE-2022-22958</code> can lead to multiple effects such as remote code execution and authentication bypass.</p><p>VMware also patched high and medium severity bugs that could be exploited for Cross-Site Request Forgery (CSRF) attacks (<code>CVE-2022-22959</code>), privilege escalation (<code>CVE-2022-22960</code>), and gain access to information without authorisation (<code>CVE-2022-22961</code>) [1].</p><p>On May 20th, Unit 42 has observed numerous instances of <code>CVE-2022-22954</code> being exploited in the wild [4]. When successful, <code>CVE-2022-22960</code> can be leveraged to run commands as a root user. It is strongly recommended to patch as soon as possible [2].</p><h2 id=\"technical-details\">Technical Details</h2><p>Here are the technical details of the vulnerabilities :</p><ul><li><p><code>CVE-2022-22954</code> - CVSS score: 9.8 - VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection.</p></li><li><p><code>CVE-2022-22955</code> and <code>CVE-2022-22956</code> - CVSS score: 9.8 - VMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 ACS framework.</p></li><li><p><code>CVE-2022-22957</code> and <code>CVE-2022-22958</code> - CVSS score: 9.1 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities. </p></li><li><p><code>CVE-2022-22959</code> - CVSS score: 8.8 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a cross site request forgery vulnerability.</p></li><li><p><code>CVE-2022-22960</code> - CVSS score: 7.8 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. </p></li><li><p><code>CVE-2022-22961</code> - CVSS score: 5.3 - VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an information disclosure vulnerability due to returning excess information.</p></li></ul><h2 id=\"affected-products\">Affected Products</h2><ul><li>VMware Workspace ONE Access (Access)</li><li>VMware Identity Manager (vIDM)</li><li>VMware vRealize Automation (vRA)</li><li>VMware Cloud Foundation</li><li>vRealize Suite Lifecycle Manager</li></ul><h2 id=\"recommendations-and-workarounds\">Recommendations and Workarounds</h2><p>CERT-EU recommends to apply the patches or the workarounds provided by VMware [2]. While applying workarounds is possible, VMware strongly recommends patching as the simplest and most reliable way to resolve this issue.</p><p>VMware has also published a document with additional questions and answers regarding VMSA-2021-0011 [3].</p><p>Since vulnerabilities <code>CVE-2022-22954</code> and <code>CVE-2022-22960</code> are exploited in the wild [4], it is highly recommended to apply the patches as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-vulnerabilities-in-multiple-products/\">https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-vulnerabilities-in-multiple-products/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.vmware.com/security/advisories/VMSA-2022-0011.html\">https://www.vmware.com/security/advisories/VMSA-2022-0011.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://core.vmware.com/vmsa-2022-0011-questions-answers-faq\">https://core.vmware.com/vmsa-2022-0011-questions-answers-faq</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/\">https://unit42.paloaltonetworks.com/cve-2022-22954-vmware-vulnerabilities/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}