Two new VMware vulnerabilities have been disclosed, CVE-2022-22951 and CVE-2022-22952, both rated 9.1 on the CVSS scale. The flaws affect the Carbon Black App Control platform, and could be exploited in arbitrary code execution attacks against vulnerable Windows systems. The vulnerabilities were discovered by security researcher Jari Jääskelä.
This vulnerability has been described as an OS command injection issue.
According to the official advisory, VMware Carbon Black App Control contains an OS command injection vulnerability.
What is the known attack vector? An authenticated attacker with high privileges and network access to the app’s admin interface could execute commands on the server, as a result of improper input validation. This could then lead to remote code execution.
To fix the issue, VMware says that you need to apply the patches as described in the advisory.
This vulnerability is a file upload issue. A threat actor with admin access to the VMware App Control administration interface could execute code on the Windows instance where AppC Server is installed by uploading a specially crafted file, VMware said.
Applying the available patch as described in the advisory fixes the issue.
Another recently disclosed VMware vulnerability is CVE-2021-22057. The issue was described as a critical vulnerability in VMware Workspace ONE Access that specifically affected its two factor authentication (2FA) processing component.