Owner security

VMware Ships Urgent Patch for Authentication Bypass Security Flaw

Virtualization technology giant VMware released an urgent and high-priority patch on Tuesday to address an authentication bypass vulnerability in its Workspace ONE Access, Identity Manager, and vRealize Automation products.

The vulnerability carries VMware’s highest severity rating (CVSSv3 base score of 9.8) and should be patched without delay, the company said in an advisory.

“VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the user interface may be able to gain administrative access without having need to authenticate,” VMware warned.

“This critical vulnerability should be patched or mitigated immediately as directed by [the advisory]”Vmware said.

[ READ: VMware Confirms Workspace One Exploits in the Wild ]

The authentication bypass vulnerability, identified as CVE-2022-31656, was discovered and reported by PetrusViet (a member of VNG Security).

The company said it was not aware of any exploit in the wild, but in an additional note, VMware confirmed that this flaw is a variant of a previously patched issue (VMSA-2022-0014 ) for which an exploit code is publicly available.

The latest patches also cover at least 9 documented vulnerabilities affecting VMware Workspace ONE Access, Access Connector, Identity Manager, Identity Manager Connector, and vRealize Automation product lines.

Related: VMware Draws Attention to High-Severity vCenter Server Flaw

Related: Critical Code Execution Flaw Haunts VMware Cloud Director

Related: VMware confirms Workspace One exploits in the wild

Ryan Naraine is editor of SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a seasoned cybersecurity strategist who has implemented security engagement programs for major global brands including Intel Corp., Bishop Fox, and Kaspersky GReAT. He is co-founder of Threatpost and the SAS Global Conference Series. Ryan’s previous career as a security journalist included articles in major technology publications, including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World. Ryan is a director of the nonprofit organization Security Tinkerers, an advisor to startup entrepreneurs, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Previous columns by Ryan Naraine:
Key words: