If you use certain VMWAre products, be aware that the company has recently identified and issued a patch for a total of five critical security vulnerabilities.
These are being tracked as:
- CVE-2022022954 (This issue is a server-side template injection remote code execution issue)
- CVE-2022-22955
- CVE-2022-22956 (This issue, and the one above it are both OAuth2 ACS authentication bypass vulnerabilities)
- CVE-2022022957
- And CVE-20220958, with these last two being JDBC injection remote code execution vulnerabilities.
The products impacted by these issues are:
- vRealize Suite Lifecycle Manager
- VMware Cloud Foundation
- VMware vRealize Automation (vRA)
- VMware Identity Manager (vIDM)
- And VMware Workspace ONE Access (Access)
The patch the company released to address the issue is VMSA-2021-0011.
The company made a point to stress that different organizations will have varying risk tolerances, security controls, and defenses in place to manage risk. So customers using VMWare equipment should certainly feel free to make their own decisions regarding what priority to place on installing the patch for this issue. They strongly recommended that all their customers take immediate action given the severity of the security vulnerability.
VMware stressed that so far, they have found no evidence of any of these vulnerabilities being exploited in the wild. Of course, it's just a matter of time until that happens and the company recommends applying the patch as soon as possible if you use any of the products mentioned above.
If you are unable to apply the patch immediately, also be aware that the company has a workaround detailed on their website that could be used as a stopgap measure in the short run. It doesn't remove the risk and it may introduce some added wrinkles and complexities but it's better than doing nothing until the patch can be applied.
Kudos to VMware for their fast action in addressing these issues and in providing a workaround for those who cannot patch immediately.