VMware has fixed a total of eight security vulnerabilities in several of its products, including VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. It is noteworthy that some of the issues could have been exploited in remote code execution attacks.
From CVE-2022-22954 to CVE-2022-22961: More about the VMware Vulnerabilities
The vulnerabilities have been tracked from CVE-2022-22954 to CVE-2022-22961, with five of them critical, two important, and one moderate in terms of severity. The flaws have been reported by Qihoo 360 security researcher Steven Seeley.
Here is the list of the eight vulnerabilities:
- CVE-2022-22954 with a CVSS score of 9.8: the vulnerability has been described as a server-side template injection remote code execution issue in VMware Workspace ONE Access and Identity Manager;
- CVE-2022-22955 and CVE-2022-22956, both with a CVSS scores of 9.8: OAuth2 ACS authentication bypass issues in VMware Workspace ONE Access;
- CVE-2022-22957 and CVE-2022-22958, both with a CVSS scores of 9.1): JDBC injection remote code execution flaws in VMware Workspace ONE Access, Identity Manager, and vRealize Automation;
- CVE-2022-22959 with a CVSS score of 8.8: a cross-site request forgery (CSRF) flaw affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation;
- CVE-2022-22960 with a CVSS score of 7.8: a local privilege escalation issue affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation;
- CVE-2022-22961 with a CVSS score of 5.3: an information disclosure vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation.
How could the vulnerabilities be exploited? Threat actors could use them to escalate privileges to root, gain access to the hosts, and perform arbitrary code execution attacks, ending in complete takeover of the vulnerable systems.
Are there any workarounds available? VMware warns that “workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not. So, it is best to patch the vulnerabilities, as described in the company’s advisory.
In March, VMware disclosed two other critical flaws, CVE-2022-22951 and CVE-2022-22952, both rated 9.1 on the CVSS scale. The vulnerabilities affected the Carbon Black App Control platform, and could be exploited in arbitrary code execution attacks against vulnerable Windows systems. The vulnerabilities were discovered by security researcher Jari Jääskelä.