VMware released a critical security advisory this week to warn users of security vulnerabilities that have been found in a variety of their systems. VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation products have all received security patches to deal with these vulnerabilities. VMware advise all users that it is “extremely important” to update to the most recent version as soon as possible in order to apply these new patches as an attacker can chain the flaws together in order to fully take over the target system.  

One of the flaws addressed in this update is an authentication bypass vulnerability, affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. This vulnerability is tracked as CVE-2022-31656, and has been rated as ‘critical’ severity, with a CVSSv3 base score of 9.8. This flaw affects the local domain users in the affected products. Unauthenticated attackers who have access to the network and user interface can exploit this vulnerability to gain administrative access. This allows attackers to then exploit another vulnerability included in this patch, CVE-2022-31658, which requires the attackers to have administrator and network access. This is a JDBC injection remote code execution vulnerability, assigned a CVSSv3 base score of 8.0, and a severity rating of ‘important’. 

Another injection remote code execution vulnerability (CVE-2022-31665), and an SQL injection remote code execution vulnerability (CVE-2022-31659) are also included in these security patches. Other vulnerabilities addressed by this security update include three elevation of privileges vulnerabilities that can escalate privileges to ‘root’ (CVE-2022-31660, CVE-2022-31661, CVE-2022-31664), a URL injection vulnerability that can redirect users to an arbitrary domain (CVE-2022-31657), and a path traversal vulnerability which allows attackers to access files (CVE-2022-31662). Most of these vulnerabilities require attackers to have local or network access to be able to exploit them. A cross-site scripting (XSS) vulnerability (CVE-2022-31663) has also been patched in this update. To exploit this, attackers require user interaction, which then allows attackers to inject JavaScript code into the target user’s window. 

Currently there is no evidence of the critical vulnerability CVE-2022-31656 being exploited in attacks in the wild, however VMware have still advised that “This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA” in the FAQs for this security advisory. Although some workarounds for these vulnerabilities do exist, VMware state that the only way to successfully avoid these flaws being exploited is to apply the patches included in the updates, and run the fixed versions instead.