CVE-2022-22954

Name of the Vulnerable Software and Affected Versions VMware Workspace ONE Access and Identity Manager VMware Cloud Foundation vRealize Suite Lifecycle Manager

Description The software contains a remote code execution issue due to a server-side template injection. A malicious actor with network access can trigger this injection, potentially leading to remote code execution. The issue is related to improper handling of code generation within the Template Handler component. Exploitation can be achieved through a crafted HTTP request targeting the /catalog-portal/ui/oauth/verify API Endpoint with the deviceUdid parameter. The payload utilizes the freemarker.template.utility.Execute function to execute arbitrary commands. Reports indicate that the vulnerability has been actively exploited by the Rocket Kitten APT group to gain initial access and deploy backdoors, including Core Impact. The vulnerability allows for the highest level of privileged access to virtualized host and guest environments.

Recommendations Versions prior to the fix for CVE-2022-22954 should be updated. As a temporary workaround, consider disabling the vulnerable component Template Handler until a patch is available. Restrict access to the /catalog-portal/ui/oauth/verify API Endpoint to minimize the risk of exploitation.