Executive Summary

VMware is a large supplier of virtualisation products which are used to run a variety of different services. They announced on 06/04/2022 that updates have been released for multiple products in their range to address different vulnerabilities. Some of these vulnerabilities have been marked as “critical”, including Spring4Shell due to the ability for a malicious actor to remotely execute code.

What’s the risk to me or my business?

As VMware are one of the primary suppliers of virtual infrastructure, it is highly likely that some business services will be hosted on machines running VMware software. There are a range of different critical and medium vulnerabilities being patched with these updates, including Spring4Shell, which CISA are now stating is being actively exploited.

What can I do?

As patches have been released, it is important that these are applied as soon as possible, particularly as some of the vulnerabilities are now being actively exploited.

Discuss with you Managed Service Provider (MSP) whether any of your devices or services are impacted, and when they can expect to be patched. While VMware has supplied workaround to help mitigate the issue if it cannot be immediately patched, it is strongly noted that the work arounds do not remove the vulnerabilities and may introduce additional unforeseen issues.

Technical Summary

The following VMware products have been listed as being affected by the following CVEs:

• VMware Workspace ONE Access (Access) | CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

• VMware Identity Manager (vIDM) | CVE-2022-22954, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

• VMware vRealize Automation (vRA) | CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

The following VMware products deploy the above affected components:

• VMware Cloud Foundation

• vRealize Suite Lifecycle Manager

CVE-2022-22954: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor with network access can trigger server-side template injection that could result in remote code execution.

CVE-2022-22955 & CVE-2022-22956: Critical severity range with maximum CVSSv3 base score of 9.8, malicious actor may bypass authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

CVE-2022-22957 & CVE-2022-22958: Critical severity range with maximum CVSSv3 base score of 9.1, malicious actor with administrator access can trigger deserialization of untrusted data through malicious Java Database Connectivity (JDBC) Uniform Resource Identifier (UDI), which can result in remote code execution.

CVE-2022-22959, CVE-2022-22960 & CVE-2022-22961: These vulnerabilities range from Important with maximum CVSSv3 base score of 8.8 to moderate with maximum CVSSv3 base score of 5.3.

Further technical information including a response patch matrix and workarounds can be found here: VMSA-2022-0011 (vmware.com), HW-154129 - Workaround instructions to address CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960 in Workspace ONE Access Appliance (VMware Identity Manager) (88098)

Need help understanding your gaps, or just want some advice? Get in touch with us.