Security Experts:

Connect with us

Hi, what are you looking for?



VMware Patches Five Critical Vulnerabilities in Workspace ONE Access

VMware on Wednesday announced patches for several critical and high-severity vulnerabilities affecting Workspace ONE Access and other products.

VMware on Wednesday announced patches for several critical and high-severity vulnerabilities affecting Workspace ONE Access and other products.

A total of eight security holes are detailed in the company’s advisory, affecting VMware Workspace ONE Access, Identity Manager (vIDM, the previous name of Workspace ONE Access), vRealize Automation (vRA), Cloud Foundation, and Suite Lifecycle Manager. Five of the issues are rated “critical severity.”

With a CVSS score of 9.8 and tracked as CVE-2022-22954, the first of the bugs is a remote code execution vulnerability affecting both Workspace ONE Access and Identity Manager.

The issue exists because a “malicious actor with network access can trigger a server-side template injection,” which could result in remote code execution.

VMware also announced patches for two authentication bypass vulnerabilities in the OAuth2 ACS framework of Workspace ONE Access, which could allow a malicious actor to “execute any operation due to exposed endpoints in the authentication framework.”

Tracked as CVE-2022-22955 and CVE-2022-22956, the issues have a CVSS score of 9.8.

[ READ: VMware Patches Critical Vulnerabilities in Carbon Black App Control ]

Two other critical vulnerabilities addressed this week impact Workspace ONE Access, Identity Manager and vRealize Automation, VMware announced. Tracked as CVE-2022-22957 and CVE-2022-22958, the flaws have a CVSS score of 9.1.

Described as remote code execution issues, the two bugs require administrative access for successful exploitation.

“A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution,” VMware says.

Two other security bugs detailed in VMware’s advisory are rated “high severity” (CVE-2022-22959 and CVE-2022-22960), while a third is rated “medium severity” (CVE-2022-22961).

Steven Seeley of the Qihoo 360 Vulnerability Research Institute has been credited for finding these vulnerabilities.

VMware warns that all products using Identity Manager components – including Cloud Foundation, NSX-T, vRealize Suite, Cloud suites, vRealize Automation, vRealize Log Insight, and vRealize Network Insight – are considered vulnerable.

[ READ: VMware NSX Data Center Flaw Can Expose Virtual Systems to Attacks ]

The company recommends that all potentially impacted customers apply the available patches or workarounds as soon as possible.

“To fully protect yourself and your organization please install one of the patch versions listed in the VMware Security Advisory, or use the workarounds listed in the VMSA,” the company says.

VMware also notes that it currently has no evidence of in-the-wild exploitation for any of these vulnerabilities.

On Wednesday, the company also announced the release of patches for two high-severity vulnerabilities in VMware Horizon Client for Linux, which are tracked as CVE-2022-22962 and CVE-2022-22964 (CVSS score of 7.3).

Related: VMware Plugs Security Holes in Workstation, Fusion and ESXi

Related: VMware vCenter Server Vulnerability Can Facilitate Attacks on Many Organizations

Related: VMware Warns of Log4j Attacks Targeting Horizon Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.