VMware urges patching Workspace ONE Access and VMware products that include components of VMware Identity Manager. Credit: Thinkstock Virtualization and cloud vendor VMware this week disclosed eight vulnerabilities in five of its products, and urged users of Workspace ONE Access and all its products that include VMware Identity Manager components to patch immediately. Three of those vulnerabilities were rated critical on the CVSSv3 scale—two of them contain the possibility for remote code execution, while the third would allow a bad actor to bypass VMware’s user authentication systems to execute unauthorized operations. One critical vulnerability, CVE-2022-22954, centers on server-side template injection in Workspace ONE Access and Identity Manager as a possible method of achieving remote code execution, and requires only access to the network on which the services are running. Another remote code execution vulnerability in Workspace ONE Access, Identity Manager and vRealize Automation, reported as both CVE-2022-22957 and CVE-2022-22958, would let a bad actor with administrative access control those systems via a malicious Java Database Connectivity URI. The user-authentication bypass, tagged as CVE-2022-22955 and CVE-2022-22956, works by exploiting exposed endpoints in the authentication framework in Workspace ONE Access. According to Ian McShane, vice president of strategy at cybersecurity vendor Arctic Wolf, these vulnerabilities are serious indeed, and underlined the urgency of applying patches to the most critical security holes. “With any company, change control should be a best practice,” he said. “But [the critical security flaws] require immediate changes, and are the ones that should be pushed out without testing.” Yaron Tal, the founder and CTO of Reposify, an Israeli startup providing machine-learning based EASM (external attack surface management), said that remote code execution vulnerabilities essentially let threat actors “run rampant” in compromised systems, stealing credentials, sensitive data and disseminating malware. “With [remote code execution], unprivileged external code can run remotely on any vulnerable machine in the network,” he said. “Hackers are left to puppeteer attacks remotely with devastating impact. No strike is out of the question—data can be lost or stolen, communications proxied to a remote location, company data copied to private drives, or corporate reputation damaged with explicit content. All are very real, legitimate possibilities.” Immediate patching could be difficult for some companies, particularly those with service-level agreements and contractual mandates for a given level of uptime because they may need to restart or reboot affected systems for patching, according to McShane. “Everyone’s organization has different environments and different needs,” he said. Tal agreed that the patches were of immediate importance, and noted that this is likely to be an inconvenience for VMware’s customers. “We don’t know the patching mechanism in detail, but what we can say for certain is that access management systems are required to be on 24/7, and patches cannot be applied without turning the system off,” he said. “Patches are typically applied at predetermined times (like Christmas, Thanksgiving) when the workspace environment is quiet to minimize downtime as much as possible.” VMware credited Steven Seeley of the Qihoo 360 Vulnerability Research Institute with discovering the flaws. Related content news UK court scrutinises legality of mainframe to cloud application migration technology IBM suing is LzLabs over reverse-engineering claims. By John Leyden Apr 29, 2024 3 mins Mainframes Technology Industry feature 7 tips for deploying Wi-Fi 6E The enhanced version of Wi-Fi 6 uses 6GHz frequency band for dense, high-traffic applications. By Eric Geier Apr 29, 2024 7 mins Wi-Fi Network Security Networking news Sovereign cloud demand booms in APAC amid geopolitical tensions Global spending on sovereign cloud solutions is expected to surpass $250 billion by 2027, according to IDC. By Gyana Swain Apr 29, 2024 4 mins Cloud Computing news Hitachi Vantara launches unified storage platform Virtual Storage Platform One provides on-premises and cloud storage of both structured and unstructured data. By Andy Patrizio Apr 26, 2024 2 mins Enterprise Storage Data Center PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe