1. Summary
| Vulnerability Name | VMware Server-Side Template Injection Vulnerability (CVE-2022-22954) |
|---|---|
| Release Time | April 9, 2022 |
| Component Name | VMware Workspace ONE Access VMware Identity Manager VMware Cloud Foundation (vIDM) vRealize Suite Lifecycle Manager |
| Affected Versions | VMware Workspace ONE Access: 20.10.0.0; 20.10.0.1; 21.08.0.0; 21.08.0.1 VMware Identity Manager: 3.3.3; 3.3.4; 3.3.5; 3.3.6 VMware Cloud Foundation (vIDM): 4.x vRealize Suite Lifecycle Manager: 8.x |
| Vulnerability Type | Remote Code Execution |
| Exploitability | Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact | Severity: CVSS v3 Base Score: 9.8 (Critical) Confidentiality Impact: High Integrity Impact: High Availability Impact: High |
2. About CVE-2022-22954
2.1 Introduction
- VMware Workspace ONE is a digital workspace platform that allows users to deliver and manage applications on devices.
- VMware Identity Manager is the identity and access management component of Workspace ONE.
- VMware Cloud Foundation is a hybrid cloud platform.
- VMware vRealize Suite Lifecycle Manager automates the Lifecycle Manager (LCM) of the vRealize Suite.
2.2 Summary
On April 8, 2022, Sangfor FarSight Labs received a notice about a VMware server-side template injection vulnerability (CVE-2022-22954), classified as critical with a CVSS Score of 9.8.
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can send a specially crafted HTTP request to trigger a server-side template injection that may result in remote code execution.
VMware has confirmed that exploitation of CVE-2022-22954 has occurred in the wild.
3. Affected Versions
VMware Workspace ONE Access: 20.10.0.0; 20.10.0.1; 21.08.0.0; 21.08.0.1
VMware Identity Manager: 3.3.3; 3.3.4; 3.3.5; 3.3.6
VMware Cloud Foundation (vIDM): 4.x
vRealize Suite Lifecycle Manager: 8.x
4. Solutions
4.1 Remediation Solutions
Users can update their affected products to the latest version to fix the vulnerability at: https://kb.VMware.com/s/article/88099
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the VMware Server-Side Template Injection vulnerability (CVE-2022-22954):
- Sangfor Cyber Command (Network Detection and Response)
- Sangfor Cyber Guardian (Managed Detection and Response)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the VMware Server-Side Template Injection vulnerability (CVE-2022-22954):
- Sangfor NGAF (Next Generation Firewall)
5. Timeline
On April 8, 2022, Sangfor received a notice about the VMware Server-Side Template Injection vulnerability (CVE-2022-22954).
On Apr 9, 2022, Sangfor FarSight Labs released a vulnerability alert with remediation solutions.
On April 13, 2022, Sangfor FarSight Labs updated the vulnerability alert to reflect reports of CVE-2022-22954 being exploited in the wild.
6. Reference
https://www.VMware.com/security/advisories/VMSA-2022-0014.html
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
