VMware has recently addressed numerous serious security bugs affecting its identity management software Workspace ONE Access. Users should update their systems to the latest versions to avoid potential risks.
VMware Workspace ONE Access Bugs
As elaborated through a recent advisory, VMware fixed two severe security bugs in its Workspace ONE Access tool. It’s a dedicated identity management software that provides quicker “access to SaaS, web, and native mobile apps” with specific login factors, like MFA, SSO, and conditional access.
Explaining the bugs, the advisory listed 8 different vulnerabilities riddling the software. These include,
- CVE-2022-22954 (CVSS 9.8): a critical server-side template injection vulnerability. An adversary with network access could trigger the bug to achieve remote code execution.
- CVE-2022-22955, CVE-2022-22956 (CVSS 9.8): authentication bypass vulnerabilities in the OAuth2 ACS framework. An adversary could exploit the flaws and execute any functions to the exposed endpoints.
- CVE-2022-22957, CVE-2022-22958 (CVSS 9.1): remote code execution vulnerabilities that an adversary with admin access could trigger via deserialization of untrusted data through malicious JDBC URI.
- CVE-2022-22959 (CVSS 8.8): cross-site request forgery (CSRF) allowing malicious JDBC URI validation.
- CVE-2022-22960 (CVSS 7.8): improper permissions in support scripts could allow an attacker with local access gain root access to the target system.
These vulnerabilities typically affected the following VMware products.
- Workspace ONE Access (Access)
- Identity Manager (vIDM)
- vRealize Automation (vRA)
- Cloud Foundation
- vRealize Suite Lifecycle Manager
The firm has acknowledged Steven Seeley of Qihoo 360 Vulnerability Research Institute for discovering and reporting the bugs.
Following his reports, VMware patched the bugs and released fixes with the subsequent software updates that will automatically reach the users. Nonetheless, users must check for manual updates to ensure they are not missing the updates. Especially given the severity of the bugs, any ignorance in patching the bugs may lead to disastrous situations.
Let us know your thoughts in the comments.