CVE-2022-22961

Vulnerability

CVE-2022-22961 is an information disclosure vulnerability in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), and VMware vRealize Automation (vRA). The affected versions are those prior to the patches released on 2022-04-13 as documented in VMSA-2022-0011 [1]. The bug exists in the response handling logic, where the application returns excess information, specifically the hostname of the target system, to a remote attacker [1].

Exploitation

To exploit this vulnerability, a malicious actor requires only remote access to the target system; no authentication or user interaction is needed. The actor can send crafted network requests to the vulnerable service, and the server will respond with its hostname in the reply, leaking the information directly [1].

Impact

Successful exploitation allows the attacker to learn the internal hostname of the affected system. While this is not a direct compromise of data or execution, it provides reconnaissance information that can be used to tailor further attacks against the specific environment, increasing the risk of later targeted exploitation [1].

Mitigation

VMware released patches for all affected products on 2022-04-13 to address this vulnerability. Administrators should apply the updates listed in the 'Fixed Version' column of the Resolution Matrix in VMSA-2022-0011 [1]. No workarounds were published. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the last update.