VMware urges patching Workspace ONE Access and VMware products that include components of VMware Identity Manager. Credit: Thinkstock Virtualization and cloud vendor VMware this week disclosed eight vulnerabilities in five of its products, and urged users of Workspace ONE Access and all its products that include VMware Identity Manager components to patch immediately. Three of those vulnerabilities were rated critical on the CVSSv3 scale—two of them contain the possibility for remote code execution, while the third would allow a bad actor to bypass VMware’s user authentication systems to execute unauthorized operations. One critical vulnerability, CVE-2022-22954, centers on server-side template injection in Workspace ONE Access and Identity Manager as a possible method of achieving remote code execution, and requires only access to the network on which the services are running. Another remote code execution vulnerability in Workspace ONE Access, Identity Manager and vRealize Automation, reported as both CVE-2022-22957 and CVE-2022-22958, would let a bad actor with administrative access control those systems via a malicious Java Database Connectivity URI. The user-authentication bypass, tagged as CVE-2022-22955 and CVE-2022-22956, works by exploiting exposed endpoints in the authentication framework in Workspace ONE Access. According to Ian McShane, vice president of strategy at cybersecurity vendor Arctic Wolf, these vulnerabilities are serious indeed, and underlined the urgency of applying patches to the most critical security holes. “With any company, change control should be a best practice,” he said. “But [the critical security flaws] require immediate changes, and are the ones that should be pushed out without testing.” Yaron Tal, the founder and CTO of Reposify, an Israeli startup providing machine-learning based EASM (external attack surface management), said that remote code execution vulnerabilities essentially let threat actors “run rampant” in compromised systems, stealing credentials, sensitive data and disseminating malware. “With [remote code execution], unprivileged external code can run remotely on any vulnerable machine in the network,” he said. “Hackers are left to puppeteer attacks remotely with devastating impact. No strike is out of the question—data can be lost or stolen, communications proxied to a remote location, company data copied to private drives, or corporate reputation damaged with explicit content. All are very real, legitimate possibilities.” Immediate patching could be difficult for some companies, particularly those with service-level agreements and contractual mandates for a given level of uptime because they may need to restart or reboot affected systems for patching, according to McShane. “Everyone’s organization has different environments and different needs,” he said. Tal agreed that the patches were of immediate importance, and noted that this is likely to be an inconvenience for VMware’s customers. “We don’t know the patching mechanism in detail, but what we can say for certain is that access management systems are required to be on 24/7, and patches cannot be applied without turning the system off,” he said. “Patches are typically applied at predetermined times (like Christmas, Thanksgiving) when the workspace environment is quiet to minimize downtime as much as possible.” VMware credited Steven Seeley of the Qihoo 360 Vulnerability Research Institute with discovering the flaws. Related content news Tata Communications launches edge computing platform for enterprises The company will offer two pricing models for CloudLyte — one based on CPU resources used, and the other it terms as “use case as a service.” By Prasanth Aby Thomas May 07, 2024 3 mins Edge Computing Internet of Things news HPE launches storage system for HPC and AI clusters The HPE Cray Storage Systems C500 is tuned to avoid I/O bottlenecks and offers a lower entry price than Cray systems designed for top supercomputers. By Andy Patrizio May 07, 2024 3 mins Supercomputers Enterprise Storage Data Center opinion Does new security need to be old again? Security used to be an explicit part of networking, as it was in IBM SNA and mainframe security. Can and should networks be the security focus again? By Tom Nolle May 07, 2024 7 mins Network Security Networking analysis At RSA, Cisco unveils Splunk integrations, Hypershield upgrades At RSA Conference 2024, Cisco announced plans to integrate its XDR platform and Splunk’s SIEM, bolster its Hypershield AI-native security architecture, and add to its Duo access-protection software. By Michael Cooney May 06, 2024 5 mins Network Management Software Network Security Networking PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe