VMware Releases Patches to Fix Critical Remote Code Execution Exploit in Workspace ONE Access

VMware has released patches to address several “critical” security vulnerabilities impacting its products. The company published a security advisory that encourages customers to apply all security patches and mitigations as soon as possible.

VMware says that the security flaws in its enterprise software were privately reported by a security researcher at the Qihoo 360 Vulnerability Research Institute. The list of affected products includes VMware Workspace ONE Access, VMware vRealize Automation (vRA), VMware Identity Manager (vIDM), vRealize Suite Lifecycle Manager, and VMware Cloud Foundation.

“All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so customers must make their own decisions on how to proceed. However, given the severity of the vulnerability, we strongly recommend immediate action,” VMware said in a security alert issued yesterday.

The first security vulnerability (CVE-2022-22954) could be exploited by an attacker with network access to trigger server-side template injection that may lead to remote code execution (RCE). The security flaw impacts VMware Workspace ONE Access and Identity Manager and received a CVSS score of 9.8.

Additionally, VMware has released security updates to patch the exploits (CVE-2022-22955 and CVE-2022-22956) discovered in the OAuth2 ACS framework. The vulnerabilities enable threat actors to “bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.” The security flaws impact VMware Workspace ONE Access.

Lastly, the last two bugs, tracked as CVE-2022-22957 and CVE-2022-22958 with a CVSS score of 9.1, affect Workspace ONE Access, vRealize Automation, and Identity Manager. Attackers could exploit these vulnerabilities to trigger the deserialization of untrusted data via malicious JDBC URI, which results in remote code execution. However, attackers must gain administrative access to exploit it.

VMware provides a workaround to mitigate RCE attacks

According to VMware, there is no evidence that these vulnerabilities have been exploited. The company has urged customers to apply all security patches, but it has also provided workaround solutions to mitigate these attacks. Specifically, VMware recommends IT Admins to run a Python script on affected virtual machines.

In case you missed it, VMware has also released security updates to patch a critical remote code execution flaw dubbed Spring4Shell that affects its various virtualization products. The RCE vulnerability (tracked as CVE-2022-22965) affects JDK 9 or higher.