VMware warned customers today to immediately patch a critical authentication bypass vulnerability "affecting local domain users" in multiple products that can be exploited to obtain admin privileges.
The flaw (tracked as CVE-2022-22972) impacts Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate, the company explains.
Admins urged to patch immediately
"This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014," VMware warned on Wednesday.
The company also patched a second high severity local privilege escalation security flaw (CVE-2022-22973) that can let attackers elevate permissions on unpatched devices to 'root.'
The complete list of VMware products impacted by these security bugs includes:
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
While VMware usually adds a note regarding active exploitation to most security advisories, VMware didn't include such information in today's VMSA-2022-0014 advisory.
VMware provides patch download links and installation instructions on its knowledgebase website.
Workaround also available
VMware also provides temporary workarounds for admins who cannot patch their appliances immediately.
The steps detailed here require admins to disable all users except one provisioned administrator and log in via SSH to restart the horizon-workspace service.
However, the company doesn't recommend applying this workaround and says that the only way to fully address the CVE-2022-22972 vulnerability is to patch the vulnerable products.
The information contained in this website is for general information purposes only. The information is gathered from BleepingComputer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.