Ten vulnerabilities have recently been fixed in patches released by VMware. Products affected include:
VMware Workspace ONE Access (Access)
VMware Workspace ONE Access Connector (Access Connector)
VMware Identity Manager (vIDM)
VMware Identity Manager Connector (vIDM Connector)
VMware vRealize Automation (vRA)
VMware Cloud Foundation
vRealize Suite Lifecycle Manager
One of these vulnerabilities is CVE-2022-31656. While a severity rating has not been assigned to this vulnerability at the time of this writing, it is believed (based on early reports) that this is a variant or patch bypass of CVE-2022-22972, which was patched in May of 2022 and carried a severity rating of 7.5 out of 10.
Petrus Viet, the researcher who discovered this vulnerability, has also reported CVE-2022-31659, a SQL injection flaw that can be exploited to trigger a remote code execution. Some combination of these recent vulnerabilities, which include an authentication bypass and remote code execution, could make for some very nasty and troublesome exploit chains. Patching these vulnerabilities should be at the top of every VMWare administrator’s to-do list.
For the full advisory from VMware, please visit: https://www.vmware.com/security/advisories/VMSA-2022-0021.html