VMware patches critical auth bypass flaw in multiple products

CVE-2022-22972: Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

2 years ago   •   2 min read

By CloudNerve™
CVE-2022-22972: Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.
Table of contents


VMware warned customers today to immediately patch a critical authentication bypass vulnerability "affecting local domain users" in multiple products that can be exploited to obtain admin privileges.

The flaw (tracked as CVE-2022-22972) was reported by Bruno López of Innotec Security, who found that it impacts Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

"A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate," the company explains.

Admins urged to patch immediately

"This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014," VMware warned on Wednesday.

"The ramifications of this vulnerability are serious. Given the severity of the vulnerability, we strongly recommend immediate action,"

The company also patched a second high severity local privilege escalation security flaw (CVE-2022-22973) that can let attackers elevate permissions on unpatched devices to 'root.'

The complete list of VMware products impacted by these security bugs includes:

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

While VMware usually adds a note regarding active exploitation to most security advisories, VMware didn't include such information in today's VMSA-2022-0014 advisory.

VMware provides patch download links and installation instructions on its knowledgebase website.

Workaround also available

VMware also provides temporary workarounds for admins who cannot patch their appliances immediately.

The steps detailed here require admins to disable all users except one provisioned administrator and log in via SSH to restart the horizon-workspace service.

However, the company doesn't recommend applying this workaround and says that the only way to fully address the CVE-2022-22972 vulnerability is to patch the vulnerable products.

"The only way to remove the vulnerabilities from your environment is to apply the patches provided in VMSA-2021-0014. Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not," VMware added.

"While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this type of issue."

A support document with a list of questions and answers regarding the critical vulnerability patched today is available here.

In April, VMware patched another critical vulnerability, a remote code execution bug (CVE-2022-22954) in VMware Workspace ONE Access and VMware Identity Manager.

Attackers started exploiting it in attacks within a week after a proof-of-concept exploit was released online to deploy coinminers and install backdoors.

Spread the word

Keep reading