CVE-2022-31656: critical auth bypass flaw in multiple VMware products

CVE-2022-31656

VMware on Tuesday announced patches for several critical and high-severity vulnerabilities affecting VMware Workspace ONE Access, Identity Manager, vRealize Automation, and other products.

A total of ten security flaws are detailed in the company’s advisory, affecting VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation. One of the issues is rated “critical severity.”

Tracked as CVE-2022-31656 (CVSS scores: 9.8), the issues impact VMware Workspace ONE Access, Identity Manager, and vRealize Automation. “A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate,” the company noted in its advisory. PetrusViet (a member of VNG Security) has been credited with reporting the CVE-2022-31656.

One of the ten bugs is rated Critical, five are rated Important, and three are rated Moderate in severity. The list of flaws is below –

  • JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31658, CVSSv3: 8.0) affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation
  • SQL injection Remote Code Execution Vulnerability (CVE-2022-31659, CVSSv3: 8.0) affects VMware Workspace ONE Access and Identity Manager
  • Local Privilege Escalation Vulnerability (CVE-2022-31660, CVE-2022-31661, CVSSv3: 7.8) affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation
  • Local Privilege Escalation Vulnerability (CVE-2022-31664, CVSSv3: 7.8) affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation
  • JDBC Injection Remote Code Execution Vulnerability (CVE-2022-31665, CVSSv3: 7.6) affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation
  • URL Injection Vulnerability (CVE-2022-31657, CVSSv3: 5.9) affects VMware Workspace ONE Access and Identity Manager
  • Path traversal vulnerability (CVE-2022-31662, CVSSv3: 5.3) affects VMware Workspace ONE Access, Identity Manager, Connectors, and vRealize Automation
  • Cross-site scripting (XSS) vulnerability (CVE-2022-31663, CVSSv3: 4.7) affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation

Successful exploitation of the aforementioned bugs could allow a malicious actor to inject javascript code in the target user’s window, redirect an authenticated user to an arbitrary domain, escalate privileges to the root user, and remotely execute arbitrary code, effectively allowing full takeover.

VMware noted that it has not seen any evidence that the vulnerabilities have been exploited in the wild, so it’s highly recommended to apply the patches to remove potential threats.