Researcher Petrus Viet of VNG Security has discovered a flaw (CVE-2022-31656) in multiple VMware products that allows a threat actor to gain Remote Code Execution (RCE) and privilege escalation to ‘root’ on unpatched servers. VMware determined the severity of the bug to be critical, giving it a CVSSv3 score of 9.8/10 and urging organizations to take immediate action.
The following VMware products are affected:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
VMware has stated that there is no evidence of this vulnerability being abused in the wild.
A patch has been released by VMware coinciding with Petrus Viet’s announcement. System owners can find all the necessary information for remediation on VMware’s knowledge base website here: https://kb.vmware.com/s/article/89096
In cases where the patch cannot be applied due to an organization’s risk assessment or inability to patch, VMware has also provided a temporary workaround. The workaround revolves around disabling all users except one provisioned administrator and logging in via SSH to restart the horizon-workspace service. It should be noted that VMware does not recommend using this workaround, and strongly encourages the patch to be applied instead stating:
“Workarounds do not remove the vulnerabilities from the environment, and almost always introduce additional complexities and technical debt that patching would not. These updates do not introduce new functionality or other changes beyond resolving these issues and should be a straightforward update in most environments. While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this type of issue.”
Information on the workaround can be found here: https://kb.vmware.com/s/article/88433