VMware urges patching Workspace ONE Access and VMware products that include components of VMware Identity Manager. Credit: Thinkstock Virtualization and cloud vendor VMware this week disclosed eight vulnerabilities in five of its products, and urged users of Workspace ONE Access and all its products that include VMware Identity Manager components to patch immediately. Three of those vulnerabilities were rated critical on the CVSSv3 scale—two of them contain the possibility for remote code execution, while the third would allow a bad actor to bypass VMware’s user authentication systems to execute unauthorized operations. One critical vulnerability, CVE-2022-22954, centers on server-side template injection in Workspace ONE Access and Identity Manager as a possible method of achieving remote code execution, and requires only access to the network on which the services are running. Another remote code execution vulnerability in Workspace ONE Access, Identity Manager and vRealize Automation, reported as both CVE-2022-22957 and CVE-2022-22958, would let a bad actor with administrative access control those systems via a malicious Java Database Connectivity URI. The user-authentication bypass, tagged as CVE-2022-22955 and CVE-2022-22956, works by exploiting exposed endpoints in the authentication framework in Workspace ONE Access. According to Ian McShane, vice president of strategy at cybersecurity vendor Arctic Wolf, these vulnerabilities are serious indeed, and underlined the urgency of applying patches to the most critical security holes. “With any company, change control should be a best practice,” he said. “But [the critical security flaws] require immediate changes, and are the ones that should be pushed out without testing.” Yaron Tal, the founder and CTO of Reposify, an Israeli startup providing machine-learning based EASM (external attack surface management), said that remote code execution vulnerabilities essentially let threat actors “run rampant” in compromised systems, stealing credentials, sensitive data and disseminating malware. “With [remote code execution], unprivileged external code can run remotely on any vulnerable machine in the network,” he said. “Hackers are left to puppeteer attacks remotely with devastating impact. No strike is out of the question—data can be lost or stolen, communications proxied to a remote location, company data copied to private drives, or corporate reputation damaged with explicit content. All are very real, legitimate possibilities.” Immediate patching could be difficult for some companies, particularly those with service-level agreements and contractual mandates for a given level of uptime because they may need to restart or reboot affected systems for patching, according to McShane. “Everyone’s organization has different environments and different needs,” he said. Tal agreed that the patches were of immediate importance, and noted that this is likely to be an inconvenience for VMware’s customers. “We don’t know the patching mechanism in detail, but what we can say for certain is that access management systems are required to be on 24/7, and patches cannot be applied without turning the system off,” he said. “Patches are typically applied at predetermined times (like Christmas, Thanksgiving) when the workspace environment is quiet to minimize downtime as much as possible.” VMware credited Steven Seeley of the Qihoo 360 Vulnerability Research Institute with discovering the flaws. Related content analysis At RSA, Cisco unveils Splunk integrations, Hypershield upgrades At RSA Conference 2024, Cisco announced plans to integrate its XDR platform and Splunk’s SIEM, bolster its Hypershield AI-native security architecture, and add to its Duo access-protection software. By Michael Cooney May 06, 2024 5 mins Network Management Software Network Security Networking how-to Download our Zero Trust network access (ZTNA) enterprise buyer’s guide From the editors of Network World, this enterprise buyer’s guide helps network and security IT staff understand what ZTNA can do for their organizations and how to choose the right solution. By Josh Fruhlinger and Steve Zurier May 06, 2024 1 min Network Security Enterprise Buyer’s Guides news Network jobs watch: Hiring, skills and certification trends What IT leaders need to know about expanding responsibilities, new titles and hot skills for network professionals and I&O teams. By Denise Dubie May 06, 2024 6 mins Careers Data Center Networking feature IBM’s bets on AI and hybrid cloud pay off Three key differentiators of IBM’s AI and cloud offerings are cross-platform automation, integration with multiple clouds, and tie-ins to IBM professional services. By Jeff Vance May 06, 2024 9 mins Hybrid Cloud Network Management Software Cloud Computing PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe