We would like to bring your attention to the following critical vulnerabilities we have recently become aware of which affects the following VMware products:
- VMware Workspace ONE Access (Access)
- VMware Workspace ONE Access Connector (Access Connector)
- VMware Identity Manager (vIDM)
- VMware Identity Manager Connector (vIDM Connector)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
VMware is urging all users of the above applications to apply the latest patches in order to resolve the following vulnerabilities.
- Authentication Bypass Vulnerability (CVE-2022-31656 CVSSv3 score 9.8)
- JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658CVSSv3 score 8.0)
- SQL injection Remote Code Execution Vulnerability (CVE-2022-31659CVSSv3 score 8.0)
- Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661CVSSv3 score 7.8)
- Local Privilege Escalation Vulnerability (CVE-2022-31664 CVSSv3 score 7.8)
- JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665CVSSv3 score 7.6)
- URL Injection Vulnerability (CVE-2022-31657 CVSSv3 score 5.9)
- Path traversal vulnerability (CVE-2022-31662 CVSSv3 score 5.3)
- Cross-site scripting (XSS) vulnerability (CVE-2022-31663 CVSSv3 score 4.7)
It should be noted that each item in the above list does not affect every product mentioned, but each application is affected by at least one of the listed vulnerabilities.
We are continuing to monitor the situation. Please reach out if you have any concerns or queries about this announcement.