April 7, 2022

VMware Patches 3 RCEs & 2 Authentication Bypass Vulnerabilities Affecting Multiple Products

VMware has patched 3 remote code execution vulnerabilities and 2 authentication bypass vulnerabilities. 

In total, VMware has patched 8 vulnerabilities affecting ‘Workspace One Access’, ‘Identity Manager’, ‘vRealize Automation’, ‘vRealize Suite Lifecycle Manager’, and ‘Cloud Foundation’.

The Vulnerabilities

• CVE-2022-22954 (CVSS 3.1: 9.8, Critical) – Server-side Template Injection.
  • A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
• CVE-2022-22957, CVE-2022-22958 (CVSS 3.1: 9.1, Critical) – JDBC Injection.
  • A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.
• CVE-2022-22955, CVE-2022-22956 (CVSS 3.1: 9.8, Critical) – OAuth2 ACS Authentication Bypass.
  • A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

Affected Products

• ‘Workspace One Access’ (Access) – versions 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0.
• ‘Identity Manager’ (vIDM) – versions 3.3.6, 3.3.5, 3.3.4, 3.3.3.
• ‘vRealize Automation’ (vRA) – versions 7.6, 8.x.

A detailed list of affected products can be found in VMware’s official advisory.

Mitigation

CYREBRO recommends patching relevant products by applying the hotfixes listed in the linked patch instructions.

Workaround

If there are any difficulties with mitigation at this point, apply the following workarounds.

References: VMware Security Advisory