NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2022-22954 VMWare Workspace ONE RCE

Apr 21, 2022

What is CVE-2022-22954? 

Researchers have discovered that VMware Workspace ONE Access and Identity Manager contains a remote code execution vulnerability due to server-side template injection. A malicious actor with network access to the target can trigger a server-side template injection that can result in trivial command execution. A server-side template is a means for developers to create static structures that are rendered at runtime with dynamically generated values. VMWare uses a templating engine called FreeMarker. Due to the way in which FreeMarker was implemented in VMWare Workspace ONE, an attacker can inject an instance of an Execute object, which results in remote command execution. Successful exploitation does not require authentication and the attack can be carried out in a single line of Bash using the command line utility cURL. 

The rare confluence of pre-authentication and exceptionally trivial exploit complexity make this a target ripe for mass exploitation. Exploitation has been observed in the wild and functional payloads are readily available. NopSec strongly recommends that you patch your system ASAP.

How bad is this?

CVE CVSSv3 Score
CVE-2022-22954 9.8

Active exploitation today: Actively exploited in the wild prior to patch availability.

Severity: Critical

  • Credentials are NOT required
  • Exploited in the wild
  • Low level of complexity

Who is affected by this?

  • VMware Workspace ONE Access Appliance   21.08.0.1    
  • VMware Workspace ONE Access Appliance   21.08.0.0  
  • VMware Workspace ONE Access Appliance   20.10.0.1    
  • VMware Workspace ONE Access Appliance   20.10.0.0    
  • VMware Identity Manager Appliance  3.3.6  
  • VMware Identity Manager Appliance  3.3.5  
  • VMware Identity Manager Appliance  3.3.4  
  • VMware Identity Manager Appliance  3.3.3 
  • VMware Realize Automation 7.6

How is it exploited?

Exploitation can be accomplished with a crafted request to the vulnerable endpoint.

How do I protect myself?

VMWare has released a cumulative security patch to address CVE-2022-22954.

If patching is not an immediate option, VMWare released a Python script as a workaround.

Additional Resources: