April 7, 2022
VMware Patches 3 RCEs & 2 Authentication Bypass Vulnerabilities Affecting Multiple Products
VMware has patched 3 remote code execution vulnerabilities and 2 authentication bypass vulnerabilities.
In total, VMware has patched 8 vulnerabilities affecting ‘Workspace One Access’, ‘Identity Manager’, ‘vRealize Automation’, ‘vRealize Suite Lifecycle Manager’, and ‘Cloud Foundation’.
- CVE-2022-22954 (CVSS 3.1: 9.8, Critical) – Server-side Template Injection.
- A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
- CVE-2022-22957, CVE-2022-22958 (CVSS 3.1: 9.1, Critical) – JDBC Injection.
- A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.
- CVE-2022-22955, CVE-2022-22956 (CVSS 3.1: 9.8, Critical) – OAuth2 ACS Authentication Bypass.
- A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
- ‘Workspace One Access’ (Access) – versions 21.08.0.1, 21.08.0.0, 18.104.22.168, 22.214.171.124.
- ‘Identity Manager’ (vIDM) – versions 3.3.6, 3.3.5, 3.3.4, 3.3.3.
- ‘vRealize Automation’ (vRA) – versions 7.6, 8.x.
A detailed list of affected products can be found in VMware’s official advisory.
CYREBRO recommends patching relevant products by applying the hotfixes listed in the linked patch instructions.Workaround
If there are any difficulties with mitigation at this point, apply the following workarounds.
References: VMware Security Advisory