VMware warns customers of multiple new vulnerabilities in a range of products. Some open the doors for remote code execution (RCE) attacks.
Affected products include VMware Workspace ONE Access, VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and VMware vRealize Suite Lifecycle Manager.
The threats include a server-side template injection RCE vulnerability (CVE-2022-22954), two OAuth2 ACS authentication bypass vulnerabilities (CVE-2022-22955, CVE-2022-22956) and two JDBC injection RCE vulnerabilities (CVE-2022-22957, CVE-2022-22958). There’s no evidence of cybercriminals abusing the vulnerabilities as of yet.
In addition, VMware announced that it recently patched a number of high-risk and medium-sized bugs that could potentially be used for cross-site request forgery (CSRF) attacks (CVE-2022-22959), privilege escalation (CVE- 2022-22960) and access without authorization (CVE-2022-22961).
Patches for Spring4Shell RCE
Lastly, VMware recently patched Spring4Shell RCE vulnerabilities in affected products, including VMware Tanzu Application Service for VMs, VMware Tanzu Operations Manager, and VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).