Important
VMSA-2022-0022
5.6-7.2
2022-08-09
2022-08-09 (Initial Advisory)
CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, CVE-2022-31675
VMware vRealize Operations contains multiple vulnerabilities
1. Impacted Products
- VMware vRealize Operations
2. Introduction
Multiple vulnerabilities in vRealize Operations were privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
3a. Privilege Escalation Vulnerability (CVE-2022-31672)
Description
VMware vRealize Operations contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
Known Attack Vectors
A malicious actor with administrative network access can escalate privileges to root.
Resolution
To remediate CVE-2022-31672, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.
3b. Information Disclosure Vulnerability (CVE-2022-31673)
Description
VMware vRealize Operations contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors
A low-privileged malicious actor with network access can create and leak hex dumps, leading to information disclosure. Successful exploitation can lead to a remote code execution.
Resolution
To remediate CVE-2022-31673, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.
3c. Information Disclosure Vulnerability (CVE-2022-31674)
Description
VMware vRealize Operations contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
Known Attack Vectors
A low-privileged malicious actor with network access can access log files that lead to information disclosure.
Resolution
To remediate CVE-2022-31674, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.
3d. Authentication Bypass Vulnerability (CVE-2022-31675)
Description
VMware vRealize Operations contains an authentication bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.6.
Known Attack Vectors
An unauthenticated malicious actor with network access may be able to create a user with administrative privileges.
Resolution
To remediate CVE-2022-31675, apply the patches listed in the ‘Fixed Version’ column of the ‘Resolution Matrix’ found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute for reporting this issue to us.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware vRealize Operations | 8.x | Any | CVE-2022-31672, CVE-2022-31673, CVE-2022-31674, CVE-2022-31675 | important
| None | None |
4. References
VMware vRealize Operations 8.6.4:
Release Notes: https://docs.vmware.com/en/vRealize-Operations/8.6.4/rn/vrealize-operations-864-release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31672
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31673
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31674
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31675
FIRST CVSSv3 Calculator:
CVE-2022-31672: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31673: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-31674: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-31675: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
5. Change Log
2022-08-09: VMSA-2022-0022
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2022 VMware Inc. All rights reserved.
Read full article (vmware.com)
All content and images belong to their respected owners, this article is curated for informational purposes only.
