VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products.
That flaw is tracked as CVE-2022-31656, and affects VMware's Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, published Tuesday.
Here's the bottom line of the '31656 bug, according to VMware: "A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate." Quite a nice way to get admin-level control over a remote system.
The critical vulnerability is similar to, or perhaps even a variant or patch bypass of, an earlier critical authentication bypass vulnerability (CVE-2022-22972) that also rated 9.8 in severity and VMware fixed back in May. Shortly after that update was issued, CISA demanded US government agencies pull the plug on affected VMware products if patches can't be applied.
While the virtualization giant isn't aware of any in-the-wild exploits (so far at least) of the newer vulnerability, "it is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments," VMware warned in an advisory. "If your organization uses ITIL methodologies for change management, this would be considered an 'emergency' change."
In addition to the software titan and third-party security researchers urging organizations to patch immediately, Petrus Viet, the bug hunter who found and reported the flaw, said he'll soon vmware patches critical admin bypass other flaws
