For the second time in less than a week, VMware is warning about a critical vulnerability (CVE-2020-4006). This time, the affected solutions are VMware Workspace One Access, Access Connector, VMware Identity Manager and VMware Identity Manager Connector.
As some of these are components of the VMware Cloud Foundation (vIDM) and vRealize Suite Lifecycle Manager (vIDM) product suites, those are impacted as well.
About the vulnerability (CVE-2020-4006)
Not much has been shared about CVE-2020-4006, except that it’s a command injection vulnerability that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
The vulnerability was privately reported to VMware and the company categorized it as “critical.”
Affected products include:
- VMware Workspace One Access v20.10 (Linux)
- VMware Workspace One Access v20.01 (Linux)
- VMware Identity Manager v3.3.3 (Linux)
- VMware Identity Manager v3.3.2 (Linux)
- VMware Identity Manager v3.3.1 (Linux)
- VMware Identity Manager Connector v3.3.2 and 3.3.1 (Linux)
- VMware Identity Manager Connector v3.3.3, 3.3.2, and 3.3.1 (Windows)
- VMware Cloud Foundation (vIDM) v4.x (running on any platform)
- vRealize Suite Lifecycle Manager (vIDM) v8.x (running on any platform)
VMware did not say whether the flaw is under active exploitation, but they released workarounds (and instructions on how to remove them) as they are working on the patches.
“This workaround is relevant for the configurator hosted on port 8443. Impacts are limited to functionality performed by this service. Configurator-managed setting changes will not be possible while the workaround is in place. If changes are required please revert the workaround following the instructions below, make the required changes and disable again until patches are available. In addition, most of the system diagnostics dashboard will not be displayed,” the company noted.
Last week, VMware patched critical flaws in its ESXi hypervisor that were exploited during the Tianfu Cup Pwn Contest that was held in Chengdu, China, earlier this month.
from Help Net Security https://ift.tt/2UVd50t
0 comments:
Post a Comment