VMware Releases Critical Security Updates for Multiple Products
Two critical advisories affect ESXi, Workstation, Fusion, and vRealize Network Insight and one important advisory affects Workspace One Access and Identity Manager
Summary
Two critical advisories affect ESXi, Workstation, Fusion, and vRealize Network Insight and one important advisory affects Workspace One Access and Identity Manager
Affected platforms
The following platforms are known to be affected:
Threat details
VMSA-2022-0031
Critical advisory addresses vulnerabilities affecting vRealize Network Insight (vRNI)
VMware has released a security update to address two security vulnerabilities in vRealize Network Insight (vRNI). The first vulnerability CVE-2022-31702 has a CVSSv3 score of 9.8 and concerns command injection, potentially allowing an attacker with network access to the vRNI REST API to execute commands without authentication.
The second vulnerability CVE-2022-31703 has a CVSSv3 score of 7.5 and involves directory traversal, potentially allowing an attacker with network access to the vRNI REST API to read arbitrary files from the server.
VMSA-2022-0032
Important advisory for vulnerability affecting Workspace ONE Access, Identity Manager, and Cloud Foundation
VMware has released a security update to address two security vulnerabilities within VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), and VMware Cloud Foundation (Cloud Foundation). The first vulnerability CVE-2022-31700 has a CVSSv3 score of 7.2 concerns authenticated remote code execution (RCE), potentially allowing an attacker with administrator and network access to remotely execute code on the underlying operating system.
The second vulnerability CVE-2022-31701 has a CVSSv3 score of 5.3 and is a broken authentication vulnerability, potentially allowing an attacker with network access to obtain system information and can lead to targeting victims.
Note: Access Connector and vIDM Connector are unaffected.
VMSA-2022-0033
Critical advisory for vulnerability affecting ESXi, Workstation Pro / Player, and Fusion Pro / Fusion
VMware has released a security update to address a security vulnerability within VMware ESXi, VMware Workstation Pro / Player (Workstation), and VMware Fusion Pro / Fusion (Fusion). The vulnerability CVE-2022-31705 has a CVSSv3 score of 9.3 and concerns heap out-of-bounds write in the USB 2.0 controller (EHCI), potentially allowing an attacker with local adminstrative privileges to execute code as the virtual machine's VMX process running on the host.
On ESXi the exploitation is contained within the VMX sandbox, while on Workstation and Fusion the exploitation may lead to code execution on the machine where Workstation or Fusion is installed.
Remediation advice
Affected organisations are encouraged to review the VMware security advisories below and apply the relevant updates.
Remediation steps
| Type | Step |
|---|---|
| Patch |
VMSA-2022-0031 - VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703) https://www.vmware.com/security/advisories/VMSA-2022-0031.html |
| Patch |
VMSA-2022-0032 - VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701) https://www.vmware.com/security/advisories/VMSA-2022-0032.html |
| Patch |
VMSA-2022-0033 - VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705) https://www.vmware.com/security/advisories/VMSA-2022-0033.html |
CVE Vulnerabilities
Last edited: 14 December 2022 4:48 pm