Register now for better personalized quote!

VMware warns of critical remote code execution bug in Workspace ONE Access

Apr, 07, 2022 Hi-network.com

VMware is urging customers to update their software to resolve critical vulnerabilities, including a remote code execution (RCE) bug in Workspace ONE Access.

On Wednesday, the tech giant published a security advisory warning of vulnerabilities in its enterprise software. The products impacted are VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Read now

The first vulnerability is CVE-2022-22954, impacting VMware Workspace ONE Access and Identity Manager. CVE-2022-22954 is described as a server-side template injection RCE and has been issued a CVSS severity score of 9.8. The vulnerability could be exploited by attackers as long as they have network access.

VMware has also developed patches to resolve CVE-2022-22955 and CVE-2022-22956; both issued a CVSS score of 9.8, impacting VMware Workspace ONE Access. The vulnerabilities were found in the OAuth2 ACS framework.

According to the vendor, "a malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework."

Two other bugs, CVE-2022-22957 and CVE-2022-22958 (CVSS 9.1), have been resolved in Workspace ONE Access, Identity Manager, and vRealize Automation. Threat actors could trigger the deserialization of untrusted data through the JDBC URI parameter, which manages Java applications and their database connections, to trigger RCE.

However, attackers must have administrative access.

The same trio of software was also vulnerable to CVE-2022-22959 (CVSS 8.8), a cross-site request forgery (CSRF) bug which can be used to validate a malicious JDBC URI.

VMware has also resolved CVE-2022-22960 (CVSS 7.8), a local privilege escalation bug, and CVE-2022-22961 (CVSS 5.3), an information leak in Workspace ONE Access, Identity Manager, and vRealize Automation.

VMware has not found any evidence of the vulnerabilities being actively exploited in the wild.

Patches are available, but if this is not possible, the vendor has also provided workaround instructions to mitigate attack risk.

Steven Seeley, from the Qihoo 360 Vulnerability Research Institute, was thanked for privately reporting the vulnerabilities to VMware.

In other VMware news this month, the vendor's open source Spring Framework has been at the center of a storm surrounding SpringShell/Spring4Shell, a critical vulnerability in the software's Core that could be exploited to achieve Remote Code Execution (RCE).

Tracked as CVE-2022-22965 and issued a CVSS score of 8.1, Spring4Shell impacts Tomcat servicers operating Spring MVC/WebFlux with JDK 9+. In addition, the vulnerability also affects VMware Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition. 

See also

  • VMware patches released for vulnerabilities found during China's Tianfu Cup
  • VMware reports$12.85 billion revenue for FY 2022
  • VMware's Carbon Black offers more analyst assistance to respond to attacks

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.