Patch Alert: VMware discloses critical vulnerabilities

The News

Yesterday, in critical security advisory VMSA-2022-0021, VMware disclosed vulnerabilities found in a series of products, primarily Workspace ONE Access, Identity Manager, and vRealize Automation. A few notable CVEs came out of this advisory:

• CVE-2022-31656 (9.8/10 CVSS Score) - An authentication bypass vulnerability found in Workspace ONE Access, Identity Manager, and vRealize Automation and impacts local domain users. This vulnerability allows for an adversary to gain administrative access to a vulnerable UI.
• CVE-2022-31658 and CVE-2022-31659 (8/10 CVSS Score)- Vulnerabilities discovered by the same researcher as CVE-2022-31656, these are two Remote Code Execution (RCE) vulnerabilities that allow for RCE via either JDBC or SQL injection, respectively. The researcher noted that the vulnerabilities can be chained together, and impact the same set of products.
• CVE-2022-31660, CVE-2022-31661, CVE-2022-31664 (7.8/10 CVSS Score) - Three privilege escalation vulnerabilities that allow an adversary with local access to escalate to root.
• CVE-2022-31665 (7.6/10 CVSS Score) - A JDBC injection vulnerability that could allow an adversary with administrator and network access to perform remote code execution (RCE).

There are few other CVEs as part of this, however I find the above to be the most notable. The critical observation from the above is that the researcher who found the first three vulnerabilities was able to quickly chain them together, quickly moving from authentication bypass to RCE.

Other impacted products as part of this CVE include VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

VMware did post in their security advisory that they have yet to see active exploitation of these vulnerabilities in the wild.

Hot Take

I'm not one of those people who pulls that "Ugh, of course it's ${vendor}" crap. All software, everywhere, have vulnerabilities that eventually get discovered and patched. Even some of my favorite, developer-take-all-my-money software come out with vulnerability announcements. Let's not hate on vendors/developers so much.

However, what I will advise is that the "not actively exploited" statement typically doesn't last very long. The researcher who found CVE-2022-31656 and CVE-2022-31659 has already indicated they will be blogging about their finding and POC:

Now that the announcement is live, expect adversarial researchers and others to try and figure out how to exploit these and chain them together. Patch quickly, and put this concern to bed.

What To Do Next?

This one is easy - patch, patch, patch! Patch as quickly as you can. Don't let "not actively exploited" be the words that slow or delay your patching. As tough as it is to admit, it takes one victim (only one!) to change "not actively exploited" to "actively exploited". Don't be the one!

Additional References

Malwarebytes Labs Blog