What is CVE-2022-22954?
Researchers have discovered that VMware Workspace ONE Access and Identity Manager contains a remote code execution vulnerability due to server-side template injection. A malicious actor with network access to the target can trigger a server-side template injection that can result in trivial command execution. A server-side template is a means for developers to create static structures that are rendered at runtime with dynamically generated values. VMWare uses a templating engine called FreeMarker. Due to the way in which FreeMarker was implemented in VMWare Workspace ONE, an attacker can inject an instance of an Execute object, which results in remote command execution. Successful exploitation does not require authentication and the attack can be carried out in a single line of Bash using the command line utility cURL.
The rare confluence of pre-authentication and exceptionally trivial exploit complexity make this a target ripe for mass exploitation. Exploitation has been observed in the wild and functional payloads are readily available. NopSec strongly recommends that you patch your system ASAP.
How bad is this?
CVE | CVSSv3 Score |
CVE-2022-22954 | 9.8 |
Active exploitation today: Actively exploited in the wild prior to patch availability.
Severity: Critical
- Credentials are NOT required
- Exploited in the wild
- Low level of complexity
Who is affected by this?
- VMware Workspace ONE Access Appliance 21.08.0.1
- VMware Workspace ONE Access Appliance 21.08.0.0
- VMware Workspace ONE Access Appliance 20.10.0.1
- VMware Workspace ONE Access Appliance 20.10.0.0
- VMware Identity Manager Appliance 3.3.6
- VMware Identity Manager Appliance 3.3.5
- VMware Identity Manager Appliance 3.3.4
- VMware Identity Manager Appliance 3.3.3
- VMware Realize Automation 7.6
How is it exploited?
Exploitation can be accomplished with a crafted request to the vulnerable endpoint.
How do I protect myself?
VMWare has released a cumulative security patch to address CVE-2022-22954.
If patching is not an immediate option, VMWare released a Python script as a workaround.