VMware has released a security advisory urging its customers to update their software to resolve critical vulnerabilities. One of the vulnerabilities present in VMware’s current software could allow for remote code execution in Workspace ONE Access. Other products impacted include VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. The first vulnerability primarily impacts the first two tools, and is described as a server-side template injection RCE. The bug, tracked as CVE-2022-22954, has been assigned a CVSS severity score of 9.8.
According to VMware, the bug could be exploited by attackers with network access. VMware has also developed patches to resolve two other vulnerabilities, both with a CVSS score of 9.8 as well. The vulnerabilities are tracked as CVE-2022-22955 and CVE-2022-22956 and impact VMware Workspace ONE Access. The flaws lie in the OAuth2 ACS framework of the tool. VMware stated that a malicious actor could exploit the flaws to bypass the authentication mechanism and remotely execute operations. This is due to exposed endpoints present in the authentication framework.
Read More: VMware warns of critical remote code execution bug in Workspace ONE Access