Security Experts:

Connect with us

Hi, what are you looking for?



VMware Patches Five Critical Vulnerabilities in Workspace ONE Access

VMware on Wednesday announced patches for several critical and high-severity vulnerabilities affecting Workspace ONE Access and other products.

VMware on Wednesday announced patches for several critical and high-severity vulnerabilities affecting Workspace ONE Access and other products.

A total of eight security holes are detailed in the company’s advisory, affecting VMware Workspace ONE Access, Identity Manager (vIDM, the previous name of Workspace ONE Access), vRealize Automation (vRA), Cloud Foundation, and Suite Lifecycle Manager. Five of the issues are rated “critical severity.”

With a CVSS score of 9.8 and tracked as CVE-2022-22954, the first of the bugs is a remote code execution vulnerability affecting both Workspace ONE Access and Identity Manager.

The issue exists because a “malicious actor with network access can trigger a server-side template injection,” which could result in remote code execution.

VMware also announced patches for two authentication bypass vulnerabilities in the OAuth2 ACS framework of Workspace ONE Access, which could allow a malicious actor to “execute any operation due to exposed endpoints in the authentication framework.”

Tracked as CVE-2022-22955 and CVE-2022-22956, the issues have a CVSS score of 9.8.

[ READ: VMware Patches Critical Vulnerabilities in Carbon Black App Control ]

Two other critical vulnerabilities addressed this week impact Workspace ONE Access, Identity Manager and vRealize Automation, VMware announced. Tracked as CVE-2022-22957 and CVE-2022-22958, the flaws have a CVSS score of 9.1.

Described as remote code execution issues, the two bugs require administrative access for successful exploitation.

“A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution,” VMware says.

Two other security bugs detailed in VMware’s advisory are rated “high severity” (CVE-2022-22959 and CVE-2022-22960), while a third is rated “medium severity” (CVE-2022-22961).

Steven Seeley of the Qihoo 360 Vulnerability Research Institute has been credited for finding these vulnerabilities.

VMware warns that all products using Identity Manager components – including Cloud Foundation, NSX-T, vRealize Suite, Cloud suites, vRealize Automation, vRealize Log Insight, and vRealize Network Insight – are considered vulnerable.

[ READ: VMware NSX Data Center Flaw Can Expose Virtual Systems to Attacks ]

The company recommends that all potentially impacted customers apply the available patches or workarounds as soon as possible.

“To fully protect yourself and your organization please install one of the patch versions listed in the VMware Security Advisory, or use the workarounds listed in the VMSA,” the company says.

VMware also notes that it currently has no evidence of in-the-wild exploitation for any of these vulnerabilities.

On Wednesday, the company also announced the release of patches for two high-severity vulnerabilities in VMware Horizon Client for Linux, which are tracked as CVE-2022-22962 and CVE-2022-22964 (CVSS score of 7.3).

Related: VMware Plugs Security Holes in Workstation, Fusion and ESXi

Related: VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations

Related: VMware Warns of Log4j Attacks Targeting Horizon Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet