Security News > 2020 > November > VMware urges sysadmins to apply workarounds after critical Workspace command execution vuln found

VMware has published a series of workarounds for critical command injection vulnerabilities in its Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector products.

A command injection vuln could allow malicious people who have network access to the "Administrative configurator on port 8443" together with "a valid password for the configurator admin account" to execute commands with "Unrestricted privileges on the underlying operating system," said VMware.

The workaround for Linux-based Workspace One Access, Identity Manager, and Identity Manager Connector consists of running an SSH script on vulnerable appliances, as detailed in VMware's knowledgebase post.

The Windows workaround is a simple series of command prompt commands.

Further back, in April vCenter was patched after a 10.0 rated vuln - the highest possible - revealed that anyone could create new admin users on vulnerable networks.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/11/24/vmware_urges_sysadmins_to_implement/