Multiple VMware products found to contain critical security flaws

Representational image depecting cybersecurity protection
(Image credit: Shutterstock)

VMware has released a new security patch addressing numerous high-severity vulnerabilities in five different products. 

Given the number of products affected, and the destructive potential of the vulnerabilities, VMware has urged the users to apply the patch without a second’s delay. 

Those that are unable to install the patch immediately can also apply a workaround to keep their endpoints secure.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Serious ramifications

With the newest update, VMware patched a server-side template injection remote code execution vulnerability (CVE-2022-22954), two OAuth2 ACS authentication bypass vulnerabilities (CVE-2022-22955, CVE-2022-22956), and two JDBC injection remote code execution vulnerabilities (CVE-2022-22957, CVE-2022-22958).

The same patch also addresses a couple of less dangerous bugs, including CVE-2022-22959 (allows for a Cross-Site Request Forgery), CVE-2022-22960 (allows for privilege escalation), CVE-2022-22961 (allows access to information without authorization).

VMware products vulnerable to these flaws include VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The flaws are major and users should hurry up with applying the patch:

"This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious," VMware said.

"All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so customers must make their own decisions on how to proceed. However, given the severity of the vulnerability, we strongly recommend immediate action."

There is no evidence of the flaws being abused in the wild just yet, but now that the information is out there, it could only be a matter of time.

VMware added that any users unable to patch up can apply a workaround, with more details on this link.

"Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not," the company warned. "While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this issue."

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.