How to Patch the 10 New Vulnerabilities in Vmware Products (Cve-2022-31656 to Cve-2022-31665)?

VMWare published an advisory on 6th April 2022 in which it disclosed 10 new vulnerabilities in VMWare products. One of the ten vulnerabilities is rated Critical, six are rated Important, and three are rated Moderate in severity. All the ten vulnerabilities are assigned CVSS scores from 9.8 to 4.7. Attackers could abuse these vulnerabilities to carry out authentication bypass, remote code execution, privilege escalation, URL injection, path traversal, and cross-site scripting (XSS) attacks on vulnerable VMWare products like VMware Workspace ONE Access (Access), VMware Workspace ONE Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. It is highly recommended that all the VMWare product owners mitigate or patch the 10 new vulnerabilities in these VMWare products (CVE-2022-31656 to CVE-2022-31665).

Summary of the 10 New Vulnerabilities in Vmware Products:

Out of 10 vulnerabilities, 1 is critical, 6 are high, and 3 are medium in severity as per the CVSS 3.0 rating system.

This Table Is Created in Evernote By the Author

Vmware Products Vulnerable to the 10 New Vulnerabilities (Cve-2022-31656 to Cve-2022-31665):

There are five products that VMWare has listed in its advisory. They are:

How to Patch the 10 New Vulnerabilities in Vmware Products (Cve-2022-31656 to Cve-2022-31665)?

These products are impacted only if vIDM is used within their environment.vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.vRealize Automation 7.6 is affected since it uses embedded vIDM.

1. These products are impacted only if vIDM is used within their environment. 
2, vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
3. vRealize Automation 7.6 is affected since it uses embedded vIDM.

How to Patch the 10 New Vulnerabilities in Vmware Products?

VMWare has released patches to address these vulnerabilities. Please download the patches if you want to apply the patches to them. But, there are a few things to be noted before you apply the fix. 

Please refer to the below table to download the patches for your VMWare products.

This Table Is Created in Evernote By the Author

How to Patch VMWare Products?

Note: The below procedure doesn’t apply for vRA 7.6. There is a separate patch available for vRA 7.6. Please refer to the KB 70911 to apply the patches on vRA 7.6.

Time needed: 10 minutes.

How to Patch VMWare Products?

Validate the patch has been successfully applied.

2. Repeat this process on all the cluster nodes if you run cluster deployments. You can keep other nodes running in the cluster deployments.

Note:

rm -rf /usr/local/horizon/conf/flags/HW-160130-<version-number>-hotfix.applied

How to Apply the Workaround to Fixcve-2022-31656 to Cve-2022-31665?

There is a workaround for those who are not in a position to apply the permanent patches any time soon. However, they might need to compromise with the loss of certain functionalities. Please read these points carefully before making the decision to go for a workaround over a permanent fix.

VMWare has released workarounds to address these vulnerabilities. Please visit this KB to see the procedure to Apply the Workaround for the 10 New Vulnerabilities in VMWare products.

We hope this post would help you know how to patch the 10 new vulnerabilities in VMWare products (CVE-2022-31656 to CVE-2022-31665). Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr,  Medium & Instagram, and subscribe to receive updates like this.