Critical RCE Vulnerability CVE-2022-22954 in VMware Workspace ONE Access and Identity Manager

Proof of concept code released for a critical RCE vulnerability in Workspace ONE Access and Identity Manager

Threat ID:: CC-4072
Threat Severity:: High
Threat Vector:: Vulnerability
Published:: 12 April 2022 5:10 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Proof of concept code released for a critical RCE vulnerability in Workspace ONE Access and Identity Manager

Affected platforms

The following platforms are known to be affected:

Versions: 21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0

VMware Workspace ONE Access

Versions: 3.3.6, 3.3.5, 3.3.4, 3.3.3

VMware Identity Manager

The following platforms are also known to be affected:

These products are also included in VMware's security advisory but are not related to CVE-2022-22954:

VMware vRealize Automation (vRA) Versions: 8.x, 7.6
VMware Cloud Foundation Versions: 4.x, 3.x
vRealize Suite Lifecycle Manager Versions: 8.x

Threat details

Exploitation of CVE-2022-22954 in the wild

Vulnerabilities in VMware products have been commonly targeted by Advanced Persistent Threat (ATP) groups in the past. VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.

Introduction

A recent VMware security advisory, VMSA-2022-0011, provides details of CVE-2022-22954, a critical vulnerability affecting Workspace ONE Access and Identity Manager. Multiple proof of concept (PoC) codes to exploit CVE-2022-22954 are being publicly circulated. VMware has confirmed that exploitation of CVE-2022-22954 is occurring in the wild.

CVE-2022-22954 is due to server-side template injection that could allow an attacker to perform remote code execution (RCE). The PoC code appears to show that CVE-2022-22954 can be exploited by sending a specially crafted HTTP GET request to a vulnerable server resulting in RCE on the server.

Information on other vulnerabilities in VMware's security advisory VMSA-2022-0011

VMware's security advisory also provides updates to remediate other vulnerabilities affecting Workspace ONE Access, Identity Manager, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager. At the time of publication, it is unknown if PoCs exist for these other vulnerabilities but affected organisations should apply updates as matter of caution. Details on this advisory can be found in Cyber Alert CC-4071.

Remediation advice

Affected organisations are required to review VMware's security advisory VMSA-2022-0011 and apply the relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022-22954

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Last edited: 14 April 2022 10:44 am