VMware released a critical advisory addressing security vulnerabilities found and resolved in VMware’s Workspace ONE Access, VMware Identity Manager (vIDM), vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products.
All customers who have deployed Workspace ONE Access or any product that includes VMware Identity Manager (vIDM) components are affected by this security bug. There are multiple vulnerabilities with a CVSS score of 5.3 to 9.8, that have been fixed by the VMware Team.
1. Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954)
The company urges customers to patch a critical remote code execution (RCE) vulnerability, which is traced as CVE-2022-22954, in the VMware Workspace ONE Access and Identity Manager due to server-side template injection. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
VMware noted that this RCE vulnerability should be patched or mitigated immediately because the ramifications of this vulnerability are serious. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
2. OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956)
There are two authentication bypass vulnerabilities in the OAuth2 ACS framework which affect VMware Workspace ONE Access. Agin, VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. It is to note that these issues only impact Workspace ONE Access.
3. JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958)
VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain two remote code execution vulnerabilities. VMware has evaluated the severity of these issues to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
A malicious actor with administrative access can trigger the deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.
4. Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2022-22959)
This vulnerability affects VMware Workspace ONE Access, Identity Manager, and vRealize Automation. The severity of this vulnerability has been marked as Important with a CVSS score of 8.8. To exploit this vulnerability, attackers can trick a user through a cross-site request forgery to unintentionally validate a malicious JDBC URI.
5. Local Privilege Escalation Vulnerability (CVE-2022-22960)
Improper permissions in support scripts lead to a privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. Successful exploitation of the bug leads an attacker to gain root access from local access. Again this vulnerability has been marked as Important with a CVSS score of 7.8.
6. Information Disclosure Vulnerability (CVE-2022-22961)
VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an information disclosure vulnerability due to returning excess information. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
A malicious actor with remote access may leak the hostname of the target system. Successful exploitation of this issue can lead to targeting victims.
All the above six vulnerabilities were discovered and reported by Steven Seeley (mr_me) of Qihoo 360 Vulnerability Research Institute.
The vendor has already made available security updates for all the above-mentioned products. VMware has noted that they have not seen evidence that this vulnerability has been exploited in the wild.