CVE-2022-22956

Vulnerability

The authentication bypass vulnerability, assigned CVE-2022-22956, exists in the OAuth2 ACS (Access Control Service) framework of VMware Workspace ONE Access. The flaw is due to exposed endpoints in the authentication framework that allow a malicious actor to bypass the authentication mechanism. This vulnerability affects all versions of VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager prior to the patches released in April 2022 [1].

Exploitation

A malicious actor with network access to the affected system can exploit the exposed OAuth2 ACS endpoints without requiring any authentication or user interaction. By sending crafted HTTP requests to these endpoints, the attacker can bypass the authentication checks and gain unauthorized access to the system [1].

Impact

Successful exploitation allows the attacker to execute any operation on the affected system, including administrative actions, by bypassing the authentication mechanism. The impact includes complete compromise of the confidentiality, integrity, and availability of the application and its data. The CVSSv3 base score for this vulnerability is 8.1 (High) [1].

Mitigation

VMware released patches to remediate CVE-2022-22956 in the updated versions listed in the Resolution Matrix of the VMSA-2022-0011 advisory. Users should upgrade Workspace ONE Access to version 21.08.0.1 or later, Identity Manager to 3.3.6 or later, and vRealize Automation to 8.6.1 or later. No workarounds have been published [1].