Multiple VMware products found to contain critical security flaws

VMware has released a new security patch addressing numerous high-severity vulnerabilities in five different products.

Given the number of products affected, and the destructive potential of the vulnerabilities, VMware has urged the users to apply the patch without a second’s delay.

Those that are unable to install the patch immediately can also apply a workaround to keep their endpoints secure.

TechRadar needs you!

We’re looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn’t take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a £100 Amazon gift card (or equivalent in USD). Thank you for taking part.

>> Click here to start the survey in a new window

Serious ramifications

With the newest update, VMware patched a server-side template injection remote code execution vulnerability (CVE-2022-22954), two OAuth2 ACS authentication bypass vulnerabilities (CVE-2022-22955, CVE-2022-22956), and two JDBC injection remote code execution vulnerabilities (CVE-2022-22957, CVE-2022-22958).

The same patch also addresses a couple of less dangerous bugs, including CVE-2022-22959 (allows for a Cross-Site Request Forgery), CVE-2022-22960 (allows for privilege escalation), CVE-2022-22961 (allows access to information without authorization).

VMware products vulnerable to these flaws include VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

The flaws are major and users should hurry up with applying the patch:

“This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious,” VMware said.

“All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so customers must make their own decisions on how to proceed. However, given the severity of the vulnerability, we strongly recommend immediate action.”

> VMware issues emergency patch for critical security flaws

> VMware patches another severe security bug

> Hackers have begun scanning for vulnerable VMware vCenter servers

There is no evidence of the flaws being abused in the wild just yet, but now that the information is out there, it could only be a matter of time.

VMware added that any users unable to patch up can apply a workaround, with more details on this link.

“Workarounds, while convenient, do not remove the vulnerabilities, and may introduce additional complexities that patching would not,” the company warned. “While the decision to patch or use the workaround is yours, VMware always strongly recommends patching as the simplest and most reliable way to resolve this issue.”