A critical vulnerability affecting VMware Workspace ONE Access and VMware Identity Manager allows malicious actors to remotely execute arbitrary code triggering a server-side template injection. According to VMware, the vulnerability is actively exploited.
The vulnerability, which was assigned the CVE-2022-22954 advisory, affects several versions of VMware Workspace ONE Access and VMware Identity Manager, which VMware has already provided patches for.
Additionally, VMware described workarounds that can be used as a temporary solution. The workarounds could impact the functionality of affected products, though.
VMware does not exclude the possibility that alternative workarounds could be available, such as using a firewall to control the customer environment, but leaves the decision as to which measure to apply to customers.
All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, so customers must make their own decisions on how to proceed. However, given the severity of the vulnerability, we strongly recommend immediate action.
The vulnerability was initially reported by Steven Seeley of Qihoo 360 Vulnerability Research Institute.
Security researcher Daniel Card warned on Twitter that this vulnerability is being exploited in the wild by crypto miners and that a new wave of ransomware attacks should be expected.
Along with the patch for VMware Workspace ONE Access and Identity Manager RCE vulnerability, VMware also released patches for seven more vulnerabilities affecting VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.