Skip to main content

Critical Update for VMware products

VMware have released a critical security update to address severe vulnerabilities in multiple VMware products.

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

VMware have released a critical security update to address severe vulnerabilities in multiple VMware products.


Threat details

Exploitation of CVE-2022-22972 and CVE-2022-22973

VMware has confirmed malicious code that can exploit CVE-2022-22972 in affected products is publicly available.

Vulnerabilities in VMware products have been commonly targeted by Advanced Persistent Threat (APT) groups in the past, who began exploitation within 48 hours of the vulnerabilities being made public. Previously disclosed vulnerabilities (CVE-2022-22954, which was covered in Cyber Alert CC-4072, and CVE-2022-22960) in the same impacted VMware products were quickly exploited after disclosure. 

The latest vulnerabilities could be chained together with the previously-released vulnerabilities, or used separately, to allow an attacker to take full control of a system.


Introduction

VMware have released security updates to address two new vulnerabilities in Workspace ONE Access, Identity Manager (vIDM), vRealize Automation, VMware Cloud Foundation, and vRealize Lifecycle Manager products.

The critical vulnerability known as CVE-2022-22972 relates to authentication bypass and could allow an attacker with network access to the UI to gain administrative access without the need to authenticate. The important vulnerability known as CVE-2022-22973 concerns a local privilege escalation that could allow a local attacker to escalate privileges to root.

An attacker could use these vulnerabilities either separately or in tandem with one another to take control of an affected system.


Remediation advice

Affected organisations are required to review VMware's security advisory VMSA-2022-0014 and apply the relevant updates.

Additional information can be found in VMware's VMSA-2022-0014 Questions & Answers and CISA's links to other resources in their announcement regarding these vulnerabilities.



Last edited: 27 May 2022 2:28 pm