VMware warns of critical remote code execution bug in Workspace ONE Access

Other severe vulnerabilities have been resolved.
Written by Charlie Osborne, Contributing Writer

VMware is urging customers to update their software to resolve critical vulnerabilities, including a remote code execution (RCE) bug in Workspace ONE Access.

On Wednesday, the tech giant published a security advisory warning of vulnerabilities in its enterprise software. The products impacted are VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The first vulnerability is CVE-2022-22954, impacting VMware Workspace ONE Access and Identity Manager. CVE-2022-22954 is described as a server-side template injection RCE and has been issued a CVSS severity score of 9.8. The vulnerability could be exploited by attackers as long as they have network access.

VMware has also developed patches to resolve CVE-2022-22955 and CVE-2022-22956; both issued a CVSS score of 9.8, impacting VMware Workspace ONE Access. The vulnerabilities were found in the OAuth2 ACS framework.

According to the vendor, "a malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework."

Two other bugs, CVE-2022-22957 and CVE-2022-22958 (CVSS 9.1), have been resolved in Workspace ONE Access, Identity Manager, and vRealize Automation. Threat actors could trigger the deserialization of untrusted data through the JDBC URI parameter, which manages Java applications and their database connections, to trigger RCE.

However, attackers must have administrative access.

The same trio of software was also vulnerable to CVE-2022-22959 (CVSS 8.8), a cross-site request forgery (CSRF) bug which can be used to validate a malicious JDBC URI.

VMware has also resolved CVE-2022-22960 (CVSS 7.8), a local privilege escalation bug, and CVE-2022-22961 (CVSS 5.3), an information leak in Workspace ONE Access, Identity Manager, and vRealize Automation.

VMware has not found any evidence of the vulnerabilities being actively exploited in the wild.

Patches are available, but if this is not possible, the vendor has also provided workaround instructions to mitigate attack risk.

Steven Seeley, from the Qihoo 360 Vulnerability Research Institute, was thanked for privately reporting the vulnerabilities to VMware.

In other VMware news this month, the vendor's open source Spring Framework has been at the center of a storm surrounding SpringShell/Spring4Shell, a critical vulnerability in the software's Core that could be exploited to achieve Remote Code Execution (RCE).

Tracked as CVE-2022-22965 and issued a CVSS score of 8.1, Spring4Shell impacts Tomcat servicers operating Spring MVC/WebFlux with JDK 9+. In addition, the vulnerability also affects VMware Tanzu Application Service for VMs, Tanzu Operations Manager, and Tanzu Kubernetes Grid Integrated Edition. 

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards