VMware recently patched a number of serious security bugs affecting its Workspace ONE Access identity management software. Users should update their systems to the latest versions to avoid potential risks.
VMware Workspace ONE Access Bugs
As elaborated in a recent advisory, VMware has fixed two serious security bugs in its Workspace ONE Access tool. It is dedicated identity management software that provides “faster access to native SaaS, web, and mobile apps” with specific login factors, such as MFA, SSO, and conditional access.
Explaining the bugs, the advisory listed 8 different vulnerabilities riddled with the software. These included,
- CVE-2022-22954 (CVSS 9.8): A critical server-side model injection vulnerability. An adversary with network access could trigger the bug to achieve remote code execution.
- CVE-2022-22955, CVE-2022-22956 (CVSS 9.8): Authentication bypass vulnerabilities in the OAuth2 ACS framework. An adversary could exploit the vulnerabilities and perform any function on the exposed endpoints.
- CVE-2022-22957, CVE-2022-22958 (CVSS 9.1): Remote code execution vulnerabilities that an adversary with administrator access could trigger by deserializing untrusted data through a malicious JDBC URI.
- CVE-2022-22959 (CVSS 8.8): cross-site request forgery (CSRF) allowing malicious validation of JDBC URIs.
- CVE-2022-22960 (CVSS 7.8): Incorrect permissions in supporting scripts could allow an attacker with local access to gain root access to the target system.
These vulnerabilities generally affected the following VMware products.
- Workspace ONE Access (Access)
- Identity Manager (vIDM)
- vRealize Automation (vRA)
- Cloud Foundation
- vRealize Suite Lifecycle Manager
The company credited Steven Seeley of Qihoo 360 Vulnerability Research Institute for discovering and reporting the bugs.
Following his reports, VMware has fixed the bugs and released patches with subsequent software updates that will automatically reach users. Still, users should check for manual updates to make sure they don’t miss any updates. Especially considering the severity of bugs, any ignorance in fixing bugs can lead to disastrous situations.
Let us know your thoughts in the comments.