Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

VMware patches critical flaws in Workspace ONE Access identity management software

Virtualization software vendor VMware has released patches addressing critical web security vulnerabilities in several of its products.

The updates, released today (April 7), include patches for a remote code execution (RCE) flaw in VMware Workspace ONE Access, formerly known as Identity Manager.

The vulnerability – tracked as CVE-2022-22954 and with a CVSS rating of 9.8 – arises as the result of a server-side template injection issue.

“A malicious actor with network access can trigger a server-side template injection that may result in remote code execution,” VMware warns in a security bulletin.

Also on the critical list are two authentication bypass vulnerabilities in the OAuth2 ACS framework, which is tied to VMware Workspace ONE Access.

These flaws – tracked as CVE-2022-22955 and CVE-2022-22956 and both with a CVSS rating of 9.8 – each bypass an authentication mechanism and “execute any operation due to exposed endpoints in the authentication framework”, VMware warns.

Further fixes

Another set of updates in the batch update address two critical, deserialization of untrusted data issues involving VMware Workspace ONE Access and vRealize Automation.

The flaws – tracked as CVE-2022-22957 and CVE-2022-22958 and given a severity rating of 9.1 – meant that an attacker with “administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution”.

All five flaws were discovered by Steven Seeley from the Qihoo 360 vulnerability research team. The Daily Swig invited them to comment on their findings, as well as the prevalence of the vulnerabilities.

The same VMware patch batch for VMware Workspace ONE Access and vRealize Automation also tackles several less serious flaws, including a cross-site request forgery (CSRF) vulnerability, a privilege escalation security flaw, and an information disclosure risk.

The latest release come at a time when the infosec world at large continues to be on the lookout for exploitation of Spring4Shell, a critical vulnerability in VMWare’s open source Spring Framework.

Source: https://portswigger.net/daily-swig/vmware-patches-critical-flaws-in-workspace-one-access-identity-management-software

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Zero Trust Data Access (ZTDA) constitutes a fundamental aspect of the wider Zero Trust security framework, which entails limiting data access. The Zero Trust security approach...

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO