Headline
CVE-2022-31701: VMSA-2022-0032
VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Advisory ID: VMSA-2022-0032
CVSSv3 Range: 5.3-7.2
Issue Date: 2022-12-13
Updated On: 2022-12-13 (Initial Advisory)
CVE(s): CVE-2022-31700, CVE-2022-31701
Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701).
****1. Impacted Products****
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware Cloud Foundation (Cloud Foundation)
****2. Introduction****
Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
****3a. Authenticated Remote Code Execution Vulnerability (CVE-2022-31700)****
VMware Workspace ONE Access and Identity Manager contain an authenticated remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
A malicious actor with administrator and network access may be able to remotely execute code on the underlying operating system.
To remediate CVE-2022-31700, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
VMware would like to thank Steven Seeley of Source Incite for reporting this issue to us.
****3b. Broken Authentication Vulnerability (CVE-2022-31701)****
VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with network access may be able to obtain system information due to an unauthenticated endpoint. Successful exploitation of this issue can lead to targeting victims.
To remediate CVE-2022-31701 apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
VMware would like to thank Kyung Yoon for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
Access
22.09.0.0
Linux
CVE-2022-31700
N/A
N/A
Unaffected
N/A
N/A
Access
22.09.0.0
Linux
CVE-2022-31701
5.3
moderate
22.09.1.0
None
None
Access
21.08.0.1, 21.08.0.0
Linux
CVE-2022-31700
7.2
important
KB90399
None
None
Access
21.08.0.1, 21.08.0.0
Linux
CVE-2022-31701
5.3
moderate
KB90399
None
None
Access Connector
All
Windows
CVE-2022-31700, CVE-2022-31701
N/A
N/A
Unaffected
N/A
N/A
vIDM
3.3.6
Linux
CVE-2022-31700
7.2
important
KB90399
None
None
vIDM
3.3.6
Linux
CVE-2022-31701
5.3
moderate
KB90399
None
None
vIDM Connector
All
Windows
CVE-2022-31700, CVE-2022-31701
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vIDM)
Any
Any
CVE-2022-31700, CVE-2022-31701
7.2
important
KB90384
N/A
N/A
****4. References****
****5. Change Log****
2022-12-13 VMSA-2022-0032
Initial security advisory.
****6. Contact****