A Vulnerability (CVE-2022-22954) Exists in VMware Workspace ONE Access, Identity Manager, Cloud Foundation, and vRealize Suite Lifecycle Manager Allow for Arbitrary Code Execution

SECURITY ALERTS

A Vulnerability (CVE-2022-22954) Exists in VMware Workspace ONE Access, Identity Manager, Cloud Foundation, and vRealize Suite Lifecycle Manager Allow for Arbitrary Code Execution

DESCRIPTION:
VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain a remote code execution vulnerability(CVE-2022-22954) due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

AFFECTED RELEASES:
VMware Workspace ONE Access version 20.10.0.0, 20.10.0.1, 21.08.0.0, and 21.08.0.1
VMware Identity Manager version from 3.3.3 to 3.3.6
VMware Cloud Foundation version 4.X
vRealize Suite Lifecycle Manager version 8.X

SOLUTION:
Users and system administrators of affected products are advised to refer to the official webpage (https://www.vmware.com/security/advisories/VMSA-2022-0011.html) to apply the security updates.

REFERENCE:
1. https://www.vmware.com/security/advisories/VMSA-2022-0011.html
2. ttps://kb.vmware.com/s/article/88099
3. https://www.ithome.com.tw/news/153782
4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954
5. https://nvd.nist.gov/vuln/detail/CVE-2022-22954