Security News > 2020 > December > VMware Patches Workspace ONE Access Vulnerability Reported by NSA
VMware on Thursday released patches for a Workspace ONE Access security flaw that was identified and reported by the National Security Agency.
Formerly VMware Identity Manager, Workspace ONE Access delivers multi-factor authentication, single sign-on, and conditional access functionality for SaaS, mobile and web applications.
Tracked as CVE-2020-4006, the recently discovered vulnerability has been downgraded from critical to important severity, because VMware discovered that an attacker looking to exploit the flaw needs valid credentials for the configurator admin account.
Initially, VMware did not provide information on who identified the security bug, but an update it made to its advisory this week, in conjunction with the release of patches, revealed that the NSA discovered it.
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," VMware explains in its advisory.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-23 | CVE-2020-4006 | Command Injection vulnerability in VMWare products VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. | 9.0 |