Patches out for serious vulnerabilities in several VMware products – Security – Michmutters

Patches out for serious vulnerabilities in several VMware products – Security

VMware has released patches for multiple vulnerabilities, one of which is deemed to be critical with a common vulnerabilities scoring system (CVSS) version 3 rating of 9.8 out of 10.

The critical bug allows attackers with network access to the user interface to get administrative access without authentication.

Three VMware products – Workspace One Access, Identity Manager and vRealize Automation – are vulnerable, and require patching for the vulnerability found by Petrus Viet of VNG Security.

Viet also found a remote code execution vulnerability in the same products, affecting the Java database connectivity (JDBC) driver they all use.

An attacker could use the flaw, with a CVSSv3 score of 8.0 and VMware rating of ‘important’, to run code remotely.

The attacker would need administrative and network access, however.

It is also possible to remotely attack VMware One Access and Identity Manager using a structured query language injection (SQLi) vulnerability, Viet found.

Again, that flaw requires administrator and network access to exploit, and carries a CVSSv3 rating of 8.0.

A total of 10 flaws are getting patches, with the following VMware products affected:

  • Workspace ONE Access
  • Workspace ONE Access Connector
  • IdentityManager
  • Identity Manager Connector
  • vRealize Automation
  • CloudFoundation
  • vRealize Suite Lifecycle Manager

“It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments,” VMware said.

Leave a Reply

Your email address will not be published. Required fields are marked *