VMware fixes critical flaws in Workspace ONE Access identity management software


John Leyden April 07, 2022 at 15:29 UTC

Updated: April 08, 2022 07:42 UTC

Virtual reality

Virtualization software vendor VMware has released patches fixing critical web security vulnerabilities in several of its products.

The updates, released today (April 7), include fixes for a remote code execution (RCE) flaw in VMware Workspace ONE Access, formerly known as Identity Manager.

The vulnerability – identified as CVE-2022-22954 and with a CVSS rating of 9.8 – results from a server-side model injection issue.

“A malicious actor with network access can trigger server-side template injection that could lead to remote code execution,” VMware warns in a security bulletin.

Also on the critical list are two authentication bypass vulnerabilities in the OAuth2 ACS framework, which is related to VMware Workspace ONE Access.

These flaws – tracked as CVE-2022-22955 and CVE-2022-22956 and both with a CVSS rating of 9.8 – each bypass an authentication mechanism and “perform any operation due to endpoints exposed as part of authentication,” VMware warns.

Other fixes

Another set of updates in the Batch Update addresses two critical untrusted data deserialization issues involving VMware Workspace ONE Access and vRealize Automation.

The flaws – tracked as CVE-2022-22957 and CVE-2022-22958 and with a severity rating of 9.1 – meant that an attacker with “administrator access can trigger deserialization of untrusted data via a malicious JDBC URI , which may result in remote code execution”. .

The five flaws were discovered by Steven Seeley of the Qihoo 360 Vulnerability Research Team. The daily sip invited them to comment on their findings, as well as the prevalence of vulnerabilities.

The same batch of VMware patches for VMware Workspace ONE Access and vRealize Automation also addresses several less severe flaws, including a cross-site request forgery (CSRF) vulnerability, an elevation of privilege security flaw, and a disclosure risk information.

The latest release comes at a time when the infosec world at large continues to be on the lookout for the Spring4Shell exploit, a critical vulnerability in VMWare’s open-source Spring Framework.

RELATED Spring4Shell: Microsoft and CISA warn against limited and wild exploitation


Comments are closed.