[CDP-development] FW: State CIO Message Regarding VMware Vulnerabilities

ALBIN Cinnamon S * DAS cinnamon.s.albin at das.oregon.gov
Thu May 19 15:28:23 PDT 2022 


Sharing the following correspondence from State CIO, Terrence Woods, that we are distributing to local governments through various channels.


[cid:image001.png at 01D86B93.022BA950]

Cinnamon Albin
Cyber Security
Enterprise Information Services
Cyber Security Services (CSS)
Cell: (971)707-1966
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."







The Cybersecurity and Infrastructure Security Agency (CISA)  issued Emergency Directive 22-03 (ED 22-03) Mitigate VMware Vulnerabilities<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cisa.gov%2Femergency-directive-22-03&data=05%7C01%7Ccinnamon.s.albin%40das.oregon.gov%7C02bc7a6e360d46497c3e08da39e67b36%7Caa3f6932fa7c47b4a0cea598cad161cf%7C0%7C0%7C637885959315155198%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5q5oRom7kSKvcW9J2WMuNl0dYJCmxhO7jKYtExH54n8%3D&reserved=0> May 18, 2022, requiring federal civilian executive branch agencies running specific VMware products to apply VMware updates or remove the products from agency networks until the update can be applied. In partnership with the Governor's Office, I have directed the same mitigation actions for all state agencies with a targeted completion date of May 20, 2022. I encourage you to follow the CISA guidance for your own organizations.



The emergency directive is in response to observed or expected active exploitation of a series of vulnerabilities (CVE 2022-22954, CVE 2022-22960, CVE-2022-22972, CVE-2022-22973) in the following VMware products:

o   VMware Workspace ONE Access (Access),

o   VMware Identity Manager (vIDM),

o   VMware vRealize Automation (vRA),

o   VMware Cloud Foundation,

o   vRealize Suite Lifecycle Manager (impacted VMware products).



These required actions apply to agency assets in any information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

For information systems hosted in third-party environments, each agency is responsible for maintaining an inventory of its information systems hosted in those environments and obtaining status updates pertaining to, and to ensure compliance with, this directive.

Sincerely,

[cid:image002.jpg at 01D86B94.78982B80]
Terrence Woods
State Chief Information Officer
Enterprise Information Services
Executive Assistant: Dagny George
Dagny.george at oregon.gov<mailto:Dagny.george at oregon.gov> | 971.707.0233



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220519/12e2fb9a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220519/12e2fb9a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 3219 bytes
Desc: image002.jpg
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220519/12e2fb9a/attachment-0001.jpg>

More information about the CDP-development mailing list