VMware warns of severe bugs in multiple products

VMWare is asking its customers to patch serious loopholes in several products, including a remote code execution (RCE) bug in Workspace One Access and update their software.

The products that were impacted include VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager, said the company in a security advisory.

Five of the eight bugs are tagged as critical, two are tagged as important and one is tagged as moderate in severity.

“The critical vulnerability should be patched or mitigated immediately,” VMware noted in an alert. “The ramifications of this vulnerability are serious.” 

The company said that a malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Also read: Scammers impersonate WhatsApp voice message notifications to spread malware 

VMware Workspace ONE Access and Identity Manager comprises RCE vulnerability due to server-side template injection. VMware has appraised the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.

The company said it has also found patches for CVE-2022-22955 and CVE-2022-22956. The vulnerabilities were found in the OAuth2 ACS framework.

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain privilege escalation vulnerability due to improper permissions in support scripts. The company has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 7.8.