Security News > 2022 > May > VMware issues critical fixes, CISA orders federal agencies to act immediately (CVE-2022-22972)

VMware has released patches for a privately reported critical vulnerability in VMware's Workspace ONE Access, VMware Identity Manager, vRealize Lifecycle Manager, vRealize Automation, and VMware Cloud Foundation products, and is urging administrators to patch or mitigate immediately, because "The ramifications of this vulnerability are serious."

Simultaneously, the Cybersecurity and Infrastructure Security Agency has issued an emergency directive for all federal civilian executive branch agencies, which are ordered to enumerate all instances of affected VMware products and either deploy the updates provided by VMware or remove those instances from agency networks by May 23.

The patches released by VMware on Wednesday also fix CVE-2022-22973, a local privilege escalation vulnerability in VMware Workspace ONE Access and Identity Manager, which could allow attackers with local access to gain "Root" privileges on vulnerable systems.

In a supplemental blog post, VMware notes that while some workarounds for the discovered security holes are available, there are downsides to using them instead of implementing the patches.

CISA says that since "Threat actors were able to reverse engineer and begin exploitation of impacted VMware products that remained unpatched within 48 hours of the update's release," the agency "Expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products."

VMware has noted that by applying the latest product updates, admins who have not previously implemented fixes for CVE 2022-22954and CVE 2022-22960 will simultaneously get them, as "VMware product updates are cumulative for security."

News URL

https://www.helpnetsecurity.com/2022/05/19/cve-2022-22972/