VMware urges patching Workspace ONE Access and VMware products that include components of VMware Identity Manager. Credit: Thinkstock Virtualization and cloud vendor VMware this week disclosed eight vulnerabilities in five of its products, and urged users of Workspace ONE Access and all its products that include VMware Identity Manager components to patch immediately. Three of those vulnerabilities were rated critical on the CVSSv3 scale—two of them contain the possibility for remote code execution, while the third would allow a bad actor to bypass VMware’s user authentication systems to execute unauthorized operations. One critical vulnerability, CVE-2022-22954, centers on server-side template injection in Workspace ONE Access and Identity Manager as a possible method of achieving remote code execution, and requires only access to the network on which the services are running. Another remote code execution vulnerability in Workspace ONE Access, Identity Manager and vRealize Automation, reported as both CVE-2022-22957 and CVE-2022-22958, would let a bad actor with administrative access control those systems via a malicious Java Database Connectivity URI. The user-authentication bypass, tagged as CVE-2022-22955 and CVE-2022-22956, works by exploiting exposed endpoints in the authentication framework in Workspace ONE Access. According to Ian McShane, vice president of strategy at cybersecurity vendor Arctic Wolf, these vulnerabilities are serious indeed, and underlined the urgency of applying patches to the most critical security holes. “With any company, change control should be a best practice,” he said. “But [the critical security flaws] require immediate changes, and are the ones that should be pushed out without testing.” Yaron Tal, the founder and CTO of Reposify, an Israeli startup providing machine-learning based EASM (external attack surface management), said that remote code execution vulnerabilities essentially let threat actors “run rampant” in compromised systems, stealing credentials, sensitive data and disseminating malware. “With [remote code execution], unprivileged external code can run remotely on any vulnerable machine in the network,” he said. “Hackers are left to puppeteer attacks remotely with devastating impact. No strike is out of the question—data can be lost or stolen, communications proxied to a remote location, company data copied to private drives, or corporate reputation damaged with explicit content. All are very real, legitimate possibilities.” Immediate patching could be difficult for some companies, particularly those with service-level agreements and contractual mandates for a given level of uptime because they may need to restart or reboot affected systems for patching, according to McShane. “Everyone’s organization has different environments and different needs,” he said. Tal agreed that the patches were of immediate importance, and noted that this is likely to be an inconvenience for VMware’s customers. “We don’t know the patching mechanism in detail, but what we can say for certain is that access management systems are required to be on 24/7, and patches cannot be applied without turning the system off,” he said. “Patches are typically applied at predetermined times (like Christmas, Thanksgiving) when the workspace environment is quiet to minimize downtime as much as possible.” VMware credited Steven Seeley of the Qihoo 360 Vulnerability Research Institute with discovering the flaws. Related content analysis What is a virtual machine, and why are they so useful? Many of today’s IT innovations have their roots in virtual machines (VM) and their ability to separate software from hardware. By Keith Shaw May 03, 2024 9 mins Virtualization Data Center Networking analysis What is DNS and how does it work? The Domain Name System resolves the names of internet sites with their underlying IP addresses, adding efficiency and security in the process. By Josh Fruhlinger and Keith Shaw May 03, 2024 11 mins Internet Networking news Appeal court overturns $1.6bn mainframe software ‘poaching’ ruling against IBM AT&T ‘independently decided” to replace BMC software, the appeals court found. By John Leyden May 03, 2024 1 min Mainframes news Cisco, Red Hat extend networking, AI integrations Cisco and Red Hat will demo new network product integrations and introduce AI validated designs at the upcoming Red Hat Summit 2024. By Michael Cooney May 03, 2024 4 mins Network Virtualization Cloud Computing Networking PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe