VMware has released patches for multiple vulnerabilities, one of which is deemed to be critical with a common vulnerabilities scoring system (CVSS) version 3 rating of 9.8 out of 10.
The critical bug allows attackers with network access to the user interface to get administrative access without authentication.
Three VMware products – Workspace One Access, Identity Manager and vRealize Automation – are vulnerable, and require patching for the vulnerability found by Petrus Viet of VNG Security.
I have found vulnerabilities CVE-2022-31656 and CVE-2022-31659 leading to unauthenticated remote code execution affecting many #VMware products, such as Workspace ONE. Technical writeup and POC soon to follow.
— Petrus Viet (@VietPetrus) August 2, 2022
Viet also found a remote code execution vulnerability in the same products, affecting the Java database connectivity (JDBC) driver they all use.
An attacker could use the flaw, with a CVSSv3 score of 8.0 and VMware rating of ‘important’, to run code remotely.
The attacker would need administrative and network access, however.
It is also possible to remotely attack VMware One Access and Identity Manager using a structured query language injection (SQLi) vulnerability, Viet found.
Again, that flaw requires administrator and network access to exploit, and carries a CVSSv3 rating of 8.0.
A total of 10 flaws are getting patcheswith the following VMware products affected:
- Workspace ONE Access
- Workspace ONE Access Connector
- Identity Manager
- Identity Manager Connector
- vRealize Automation
- Cloud Foundation
- vRealize Suite Lifecycle Manager
“It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware said.