VMware warns of critical vulnerabilities in multiple products

VMware has warned customers to immediately patch critical vulnerabilities in multiple products that threat actors could use to launch remote code execution attacks.

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” VMware warned on Wednesday.

“All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so customers must make their own decisions on how to proceed. However, given the severity of the vulnerability, we strongly recommend immediate action.”

Patches for five critical vulnerabilities

The list of critical security flaws patched today includes a server-side template injection remote code execution vulnerability (CVE-2022-22954), two OAuth2 ACS authentication bypass vulnerabilities (CVE-2022-22955, CVE-2022-22956), and two JDBC injection remote code execution vulnerabilities (CVE-2022-22957, CVE-2022-22958).

VMware also patched high and medium severity bugs that could be exploited for Cross-Site Request Forgery (CSRF) attacks (CVE-2022-22959), escalate privileges (CVE-2022-22960), and gain access to information without authorization (CVE-2022-22961).

The complete list of VMware products impacted by these security vulnerabilities includes:

• VMware Workspace ONE Access (Access)
• VMware Identity Manager (vIDM)
• VMware vRealize Automation (vRA)
• VMware Cloud Foundation
• vRealize Suite Lifecycle Manager

The company added that it found no evidence of these bugs being exploited in the wild before today’s security advisory was published.

VMware’s knowledgebase website also has a complete list of fixed versions and download links to hotfix installers.

Workaround also available

VMware also provides workarounds for those who cannot immediately patch their appliances as a temporary solution. The steps detailed here require admins to run a VMware-provided Python-based script on affected virtual appliances.

However, the company says that the only way to remove the vulnerabilities entirely is to apply the patches.

“Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not,” VMware added.

“While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this issue.”

A document with additional questions and answers regarding the critical vulnerabilities patched today is available here.

On Monday, VMware also released security updates to address the critical Spring4Shell RCE flaw in VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)/