DIVD-2022-00025 - VMware - CVE-2022-22954
| Our reference | DIVD-2022-00025 |
| Case lead | Victor Pasman |
| Researcher(s) | |
| CVE(s) | |
| Product | VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager |
| Versions | versions prior to 20.10.0.1, 20.10.0.0 |
| Recommendation | If you receive an email from DIVD referring to this case, the vulnerability has been confirmed. You should update the application to the newest versions 20.10.0.1, 20.10.0.0. |
| Patch status | Available |
| Status | Closed |
| Last modified | 19 Dec 2022 20:06 CET |
Summary
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
What you can do
- If you’re using a affected version of a VMware product, you should upgrade to 20.10.0.2+ to prevent exploitation.
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
Timeline
| Date | Description |
|---|---|
| 12 Apr 2022 | DIVD starts investigating the scope and impact of the vulnerability. |
| 13 Apr 2022 | First version of this case file. |
| 13 Apr 2022 | First batch of notifications sent |
| 15 May 2022 | Second batch of notifications sent |
| 24 Jun 2022 | Third batch of notifications sent |
| 28 Jul 2022 | Fourth batch of notifications sent |
| 02 Nov 2022 | DIVD starts closing procedure including reporting |
gantt
title DIVD-2022-00025 - VMware - CVE-2022-22954
dateFormat YYYY-MM-DD
axisFormat %e %b %Y
section Case
DIVD-2022-00025 - VMware - CVE-2022-22954 (233 days) :2022-04-12, 2022-12-01
section Events
DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-04-12, 0d
First version of this case file. : milestone, 2022-04-13, 0d
First batch of notifications sent : milestone, 2022-04-13, 0d
Second batch of notifications sent : milestone, 2022-05-15, 0d
Third batch of notifications sent : milestone, 2022-06-24, 0d
Fourth batch of notifications sent : milestone, 2022-07-28, 0d
DIVD starts closing procedure including reporting : milestone, 2022-11-02, 0d