Multiple Critical Vulnerabilities in VMware Products

VMware has released security updates to address several critical vulnerabilities in multiple VMware products:

• VMware Workspace ONE Access (Access)

• VMware Identity Manager (vIDM)

• VMware vRealize Automation (vRA)

• VMware Cloud Foundation

• vRealize Suite Lifecycle Manager

The vulnerabilities are:

• CVE-2022-22954: VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. An attacker with network access can trigger a server-side template injection that may result in remote code execution. 

• CVE-2022-22955 and CVE-2022-22956: VMware Workspace ONE Access has two authentication bypass vulnerabilities in the OAuth2 Access Control Service (ACS) framework. An attacker may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

• CVE-2022-22957 and CVE-2022-22958: VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities. An attacker with administrative access can trigger deserialisation of untrusted data through malicious Java Database Connectivity (JDBC) Uniform Resource Identifier (URI) which may result in remote code execution.

Users and administrators of the affected products are advised to upgrade to the latest versions immediately.

More information is available here:

https://www.vmware.com/security/advisories/VMSA-2022-0011.html

https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-vulnerabilities-in-multiple-products/