VMSA-2022-0008

• VMware Carbon Black App Control (AppC)

Multiple vulnerabilities in VMware Carbon Black App Control were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

VMware Carbon Black App Control contains an OS command injection vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

An authenticated, high privileged malicious actor with network access to the VMware App Control administration interface may be able to execute commands on the server due to improper input validation leading to remote code execution.

To remediate CVE-2022-22951 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

None.

None.

Before using the download links make sure to log into the Carbon Black User Exchange (UEX).

VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this issue to us.

VMware Carbon Black App Control contains a file upload vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

A malicious actor with administrative access to the VMware App Control administration interface may be able to execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file.

To remediate CVE-2022-22952 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

None.

None.

Before using the download links make sure to log into the Carbon Black User Exchange (UEX).

VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this issue to us.

Fixed Version(s) and Release Notes:

VMware Carbon Black App Control 8.8.2, 8.7.4, 8.6.6, 8.5.14

Downloads and Documentation:

https://community.carbonblack.com/t5/Documentation-Downloads/Critical-App-Control-Server-Patch-Announcement-3-23-22/ta-p/111804#M3557

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22951

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22952

FIRST CVSSv3 Calculator:
CVE-2022-22951: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2022-22952: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

2022-03-23 VMSA-2022-0008
Initial security advisory.

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.