• Home
  • |
  • Blog
  • |
  • How to Patch the 10 New Vulnerabilities in Vmware Products (Cve-2022-31656 to Cve-2022-31665)?
How To Patch The 10 New Vulnerabilities In VMWare Products (CVE-2022-31656 to CVE-2022-31665)

VMWare published an advisory on 6th April 2022 in which it disclosed 10 new vulnerabilities in VMWare products. One of the ten vulnerabilities is rated Critical, six are rated Important, and three are rated Moderate in severity. All the ten vulnerabilities are assigned CVSS scores from 9.8 to 4.7. Attackers could abuse these vulnerabilities to carry out authentication bypassremote code executionprivilege escalation, URL injection, path traversal, and cross-site scripting (XSS) attacks on vulnerable VMWare products like VMware Workspace ONE Access (Access), VMware Workspace ONE Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. It is highly recommended that all the VMWare product owners mitigate or patch the 10 new vulnerabilities in these VMWare products (CVE-2022-31656 to CVE-2022-31665).

Summary of the 10 New Vulnerabilities in Vmware Products:

Out of 10 vulnerabilities, 1 is critical, 6 are high, and 3 are medium in severity as per the CVSS 3.0 rating system.

CVE IDDescriptionCVSS ScoreSeverity
CVE-2022-31656An authentication bypass vulnerability affecting local domain users in VMware Workspace ONE Access, Identity Manager and vRealize Automation.9.8Critical
CVE-2022-31658A remote code execution vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation.8.0High
CVE-2022-31659A remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager.8.0High
CVE-2022-31660 & CVE-2022-31661Privilege escalation vulnerabilities in VMware Workspace ONE Access, Identity Manager and vRealize Automation.7.8High
CVE-2022-31664Local Privilege Escalation Vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation.7.8High
CVE-2022-31665A remote code execution vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation.7.6High
CVE-2022-31657A URL injection vulnerability in VMware Workspace ONE Access and Identity Manager.5.9Medium
CVE-2022-31662A path traversal vulnerability in VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation.5.3Medium
CVE-2022-31663A reflected cross-site scripting (XSS) vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation.4.7Medium
This Table Is Created in Evernote By the Author

Vmware Products Vulnerable to the 10 New Vulnerabilities (Cve-2022-31656 to Cve-2022-31665):

There are five products that VMWare has listed in its advisory. They are:

  1. VMware Workspace ONE Access (Access): 21.08.0.1, 21.08.0.0
  2. VMware Workspace ONE Access Connector (Access Connector): 22.05, 21.08.0.1, 21.08.0.0
  3. VMware Identity Manager (vIDM): 3.3.6, 3.3.5, 3.3.4
  4. VMware Identity Manager Connector (vIDM Connector): 3.3.6, 3.3.5, 3.3.4, 19.03.0.1
  5. VMware vRealize Automation (vRA): 8.x, 7.6
  6. VMware Cloud Foundation: 4.4.x, 4.3.x, 4.2.x, 3.x
  7. vRealize Suite Lifecycle Manager: 8.x

How to Patch the 10 New Vulnerabilities in Vmware Products (Cve-2022-31656 to Cve-2022-31665)?

These products are impacted only if vIDM is used within their environment.
vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
vRealize Automation 7.6 is affected since it uses embedded vIDM.

1. These products are impacted only if vIDM is used within their environment. 

2, vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.

3. vRealize Automation 7.6 is affected since it uses embedded vIDM.

How to Patch the 10 New Vulnerabilities in Vmware Products?

VMWare has released patches to address these vulnerabilities. Please download the patches if you want to apply the patches to them. But, there are a few things to be noted before you apply the fix. 

  1. Upgrade to Supported Versions: Please check If you are running any unsupported versions of instances. If yes, then you should upgrade your unsupported instances to supported versions no matter, even if they are vulnerable. 
  2. Take the Backup: Don’t forget to take the backup of the appliances or a snapshot of the appliances and the data server before you do anything. 

Please refer to the below table to download the patches for your VMWare products.

Product Component  Version(s)  
VMware Workspace ONE Access Appliance  21.08.0.1
VMware Workspace ONE Access Appliance  21.08.0.0
VMware Identity Manager Appliance & Connector 3.3.6
VMware Identity Manager Appliance & Connector 3.3.5
VMware Identity Manager Appliance & Connector 3.3.4
VMware Identity Manager Connector19.03.0.1
VMware Realize Automation 7.67.6
This Table Is Created in Evernote By the Author

How to Patch VMWare Products?

Note: The below procedure doesn’t apply for vRA 7.6. There is a separate patch available for vRA 7.6. Please refer to the KB 70911 to apply the patches on vRA 7.6.

Time needed: 10 minutes.

How to Patch VMWare Products?

  1. Login to the appliance with root privileges.

    Login to the command line of the appliances using SSH.

  2. Download the patch (HW-160130-Appliance-<Version>.zip)

    Download the patch (HW-160130-Appliance-<Version>.zip) for your product and transfer it to the appliances.

  3. Unzip the file.

    Use this command to Unzip the downloaded file on the appliance.

    # unzip HW-160130-Appliance-<Version>.zip

  4. Change into the unzipped directory.

    Use the ‘cd’ command to change the directory.

    # cd HW-160130-Appliance-<Version>

  5. Install the patch by running the patch script

    Run the installer to install the patch.

    # ./HW-160130-applyPatch.sh

Validate the patch has been successfully applied.

  1. Access the Workspace ONE Access Console as an administrator, and browse the System Diagnostics page. It should be green.
  2. You should see a flag file created as HW-160130-<version-number>-hotfix.applied (ex: HW-160130-21.08.0.1-hotfix.applied) in /usr/local/horizon/conf/flags directory if the patch is applied successfully. 

2. Repeat this process on all the cluster nodes if you run cluster deployments. You can keep other nodes running in the cluster deployments.

Note:

  1. Once you apply the patch, the workaround will be removed automatically.
  2. If you upgrade the appliance, the patch is needed to apply again for the upgraded version.
  3. There is a separate patch available for vRA 7.6. Please refer the KB 70911.
  4. Don’t apply the patch on top of the problematic patch. Remove the problematic patch before applying the correct patch.
rm -rf /usr/local/horizon/conf/flags/HW-160130-<version-number>-hotfix.applied

How to Apply the Workaround to Fixcve-2022-31656 to Cve-2022-31665?

There is a workaround for those who are not in a position to apply the permanent patches any time soon. However, they might need to compromise with the loss of certain functionalities. Please read these points carefully before making the decision to go for a workaround over a permanent fix.

  1. Local users may lose their login access. 
  2. There could be chances of failing inventory sync If VMware Identity Manager is managed by vRealize Suite Lifecycle Manager. 

VMWare has released workarounds to address these vulnerabilities. Please visit this KB to see the procedure to Apply the Workaround for the 10 New Vulnerabilities in VMWare products.

We hope this post will help you know how to patch the 10 new vulnerabilities in VMWare products (CVE-2022-31656 to CVE-2022-31665). Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.