Virtual reality

VMware has patched critical flaws in Workspace ONE Access identity management software

Virtualization software vendor VMware has released patches addressing critical web security vulnerabilities in several of its products.

The updates, released today (April 7), include patches for a remote code execution (RCE) flaw in VMware Workspace ONE Access, formerly known as Identity Manager.

The vulnerability – tracked as CVE-2022-22954 and with a CVSS rating of 9.8 – arises as the result of a server-side template injection issue.

“A malicious actor with network access can trigger a server-side template injection that may result in remote code execution,” VMware warns in a security bulletin.

Also on the critical list are two authentication bypass vulnerabilities in the OAuth2 ACS framework, which is tied to VMware Workspace ONE Access.

These flaws – tracked as CVE-2022-22955 and CVE-2022-22956 and both with a CVSS rating of 9.8 – each bypass an authentication mechanism and “execute any operation due to exposed endpoints in the authentication framework”, VMware warns.

Further fixes

Another set of updates in the batch update address two critical, deserialization of untrusted data issues involving VMware Workspace ONE Access and vRealize Automation.

The flaws – tracked as CVE-2022-22957 and CVE-2022-22958 and given a severity rating of 9.1 – meant that an attacker with “administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution”.

All five flaws were discovered by Steven Seeley from the Qihoo 360 vulnerability research team. The Daily Swig invited them to comment on their findings, as well as the prevalence of the vulnerabilities.

The same VMware patch batch for VMware Workspace ONE Access and vRealize Automation also tackles several less serious flaws, including a cross-site request forgery (CSRF) vulnerability, a privilege escalation security flaw, and an information disclosure risk.

The latest release come at a time when the infosec world at large continues to be on the lookout for exploitation of Spring4Shell, a critical vulnerability in VMWare’s open source Spring Framework.

RELATED Spring4Shell: Microsoft, CISA warn of limited, in-the-wild exploitation