Security News > 2020 > December > VMware Patches Workspace ONE Access Vulnerability Reported by NSA

VMware Patches Workspace ONE Access Vulnerability Reported by NSA
2020-12-04 18:25

VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency.

Formerly VMware Identity Manager, Workspace ONE Access delivers multi-factor authentication, single sign-on, and conditional access functionality for SaaS, mobile and web applications.

Tracked as CVE-2020-4006, the recently discovered vulnerability has been downgraded from critical to important severity, because VMware discovered that an attacker looking to exploit the flaw needs valid credentials for the configurator admin account.

Initially, VMware did not provide information on who identified the security bug, but an update it made to its advisory this week, in conjunction with the release of patches, revealed that the NSA discovered it.

"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," VMware explains in its advisory.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/9iG8mAki6lg/vmware-patches-workspace-one-access-vulnerability-reported-nsa

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-11-23 CVE-2020-4006 OS Command Injection vulnerability in VMWare products
VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.
network
low complexity
vmware CWE-78
critical
9.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591
NSA 2 0 2 7 5 14