• A new patch update released by VMware in its products will address critical web security vulnerabilities.
  • The recent patch update of VMware includes Remote Code Execution (RCE) flaw patch.

VMware, a virtualization software provider, has launched patches to address crucial web security vulnerabilities in many of its products.

The latest updates have a Remote Code Execution (RCE) flaw patch in VMware workspace ONE Access, earlier known as Identity Manager.

The vulnerability is monitored as CVE-2022-22954 and has a CVSS 9.8 rating resulting from a server-side injection issue.

In one of its security bulletins, VMware warned its users, “A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.”

Additionally, there are two authentication bypass vulnerabilities in the OAuth2 ACS framework, which is integrated into VMware Workspace ONE Access.

The flaws monitored as CVE-2022-22955 and CVE-2022-22956 have a CVSS 9.8 rating. Each of these bypass authentication mechanisms and “execute any operation due to exposed endpoints in the authentication framework,” VMware warns.

Additional fixes

A separate set of updates in the batch update addresses two crucial deserialization of untrustworthy data concerns, including VMware Workspace ONE Access and vRealize Automation.

With a severity rating of 9.1, the flaws monitored as CVE-2022-22957 and CVE-2022-22958– meant that a cybercriminal with “administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.”

Steven Seeley from the Qihoo 360 vulnerability research team found all five flaws. An online cybersecurity publication invited them to share their thoughts on their findings and the prevalence of the vulnerabilities.

The same VMware patch batch for VMware Workspace ONE Access and vRealize Automation also solves many less serious flaws, including a cross-site request forgery (CSRF) vulnerability, a priority escalation security flaw, and a data disclosure risk.

The recent release has come at a time when the infosec world at large continues to be on the search for exploitation of Spring4Shell, a crucial vulnerability in VMWare’s open-source Spring Framework.