On Wednesday, April 6, 2022, VMware disclosed several critical-severity vulnerabilities impacting multiple VMware products. If successfully exploited, the vulnerabilities could lead to Remote Code Execution (RCE) or Authentication Bypass.
In addition to the critical severity vulnerabilities, VMware disclosed several high and medium severity vulnerabilities, which could lead to Cross Site Request Forgery (CSRF), Local Privilege Escalation (LPE), or Information Disclosure. All of the vulnerabilities were discovered and responsibly reported to VMware by a security researcher and patches are available to remediate all vulnerabilities.
Affected Products:
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
Vulnerability | CVE Identifier |
Server-side Template Injection Remote Code Execution | CVE-2022-22954 |
OAuth2 ACS Authentication Bypass | CVE-2022-22955, CVE-2022-22956 |
JDBC Injection Remote Code Execution | CVE-2022-22957, CVE-2022-22958 |
Cross Site Request Forgery | CVE-2022-22959 |
Local Privilege Escalation | CVE-2022-22960 |
Information Disclosure | CVE-2022-22961 |
References
- VMware Advisory: https://www.vmware.com/security/advisories/VMSA-2022-0011.html
- Advisory FAQ: https://core.vmware.com/vmsa-2022-0011-questions-answers-faq
- VMware Knowledge Base – Workaround Instructions: https://kb.vmware.com/s/article/88098
- VMware Knowledge Base – Patching Instructions: https://kb.vmware.com/s/article/88099
Comments are closed