Service announcement: VMware has advised customers to immediately patch critical vulnerabilities across multiple products to protect against the risk of threat actors launching attacks.

At present, VMware has confirmed that no attacks have been observed – however, following public disclosure of the vulnerabilities, attacks are likely to occur and you must be prepared.

The identified vulnerabilities include:

  • One server-side template injection remote code execution vulnerability (CVE-2022-22954)
  • Two OAuth2 ACS authentication bypass vulnerabilities (CVE-2022-22955, CVE-2022-22956)
  • Two JDBC injection remote code execution vulnerabilities (CVE-2022-22957, CVE-2022-22958)

In addition to this, VMware has also patched high and medium severity bugs, which could be exploited for Cross-Site Request Forgery (CSRF) attacks (CVE-2022-22959), escalate privileges (CVE-2022-22960), and to gain access to information without authorisation (CVE-2022-22961).

VMware products impacted by these vulnerabilities:

  • VMware vRealize Automation (vRA)
  • VMware Identity Manager (vIDM)
  • VMware Cloud Foundation
  • VMware Workspace ONE Access (Access)
  • vRealize Suite Lifecycle Manager

What are the exploits?

  • Remote Code Execution (RCE): allows an attacker to remotely execute malicious code on a computer – sometimes without authorisation or permission – that can result in malware execution or the attacker gaining full control over a compromised machine
  • Authentication Bypass: a flaw in an application that allows users to access application resources without authentication
  • Java Database Connectivity (JDBC) Remote Code Execution: an API for the programming language Java, which defines how a client may access a database. Similar to an SQL Injection attack, a user can craft special Java statements to insert into an entry field for execution (e.g. to dump the database content) remotely via a special command-set (RCE)
  • Cross-site Request Forgery (CSRF): an attack that tricks the end user into executing unwanted actions on a web application on behalf of the attacker, often achieved by sending a link via email or chat
  • Elevation of Privilege: the exploitation of a bug, an operating system, or software application to gain elevated access to resources that are typically protected from an application or use

Patches for critical VMware vulnerabilities

VMware has released a complete list of fixed versions, details of the risk if not patched, and links to hotfix installers, plus temporary solutions or workarounds for organisations where appliances can’t be immediately patched. This includes steps for running a VMware-provided Python-based script on affected virtual appliances.

Please note, the only way to truly remediate the vulnerabilities highlighted is to fully patch systems.

This is an ongoing event and we are continuing to track the developments. If you have any questions or require support, please contact our IT service desk on 01904 562207 or email [email protected].