VMware reveals a swarm of serious bugs – some critical
Meanwhile changes the name of its major customer-facing event... probably a coincidence
VMware has revealed more critical bugs that impact five of its products, including the Cloud Foundation bundle it advances as the ideal way to build a hybrid multi-cloud.
CVE-2022-22954, 22955 and 22956 are the worst of the new bugs – all earning a 9.8/10 severity score on the CVSS scale.
The first impacts VMware Workspace ONE Access and Identity Manager and allows a malicious actor with network access to trigger a server-side template injection that may result in remote code execution. 22955 and 22956 are found in VMware Workspace ONE Access, and allow attackers to exploit bypass vulnerabilities in the OAuth2 ACS framework, then execute any operation due to exposed endpoints in the authentication framework.
Only slightly less serious are 22957 and 22958, which are rated 9.1/10 as they allow a malicious actor with administrative access to trigger deserialization of untrusted data through malicious JDBC URI. Remote code execution could be the result in VMware Workspace ONE Access, Identity Manager and vRealize Automation.
VMware is defining a new market category
The company has also 'fessed up to a cross-site request forgery vulnerability rated 8.8/10, a 7.8-rated root privilege escalation problem, and an information disclosure vulnerability that allows a malicious actor with remote access to leak the hostname of a target system.
But wait, there's more! The Horizon Client for Linux – a tool used to access remote apps and desktops – has a pair of flaws that can lead to low-privileged users acting above their station.
The latest set of disclosures comes on top of VMware's woes with the Spring Framework, flaws in the company's Carbon Black security wares, nasty critical-rated guest-to-host flaws in VMware hypervisors, and massive exposure to Log4J.
Customers miffed by that collection of crummy code and considering a stern chat with VMware at its annual VMworld conference might need to rethink those plans, though. While Virtzilla will return to throwing huge in-person conferences for thousands of delegates, it has changed the event's name – to "VMware Explore".
That page includes an FAQ that includes: "Why has VMworld been transformed into VMware Explore?"
The answer bears the marks of having been signed off by a lot of marketing people:
VMware is a company that thrives on profound reinvention. With a hyper-focus on customer innovation, we're defining a new market category – with apps and multi-cloud at the center of everything we do. This transformation communicates that we are a strategic leader in multi-cloud, shaping its future, from public to private to edge. To help effectively express that, we need to revolutionize the VMworld experience as the center of the multi-cloud universe – VMware Explore.
The event will therefore "focus on solving the problems faced in this multi-workload, multi-cloud, and multi-workspace IT environment" and "show you how to build and operate your cloud native platform, accelerate your cloud transformation, and secure your hybrid workforce."
- Google chases cloud giants with VMware Cloud Universal program
- VMware inks more telco partnerships as 5G takes off
- VMware pulls physical to virtual conversion tool, adds VM to container conversion tool
- VMware fixes vSphere release it pulled, sorts out Log4j while it's at it
The name change reflects the fact that virtual machines (VMs) – while likely to be around for decades – are regarded as last decade's usefully money-saving and agility-enhancing abstraction. It's also a nod to the fact that VMware's portfolio now extends well beyond VMs.
Containers and multi-cloud are far hotter than VMs right now. The former help to make developers more productive and the latter is apparently inevitable as businesses shop for infrastructure that fits precise needs and/or surrender to the inevitability of shadow IT.
Interestingly, VMware Explore's verbiage mentions applications once, and makes no mention of containers. VMware is going deep on both and doing its very best to generate enthusiasm for its platforms among developers. The company previously targeted ops teams, but has quietly admitted that doing so did not yield the level of success it desired for its Pivotal-derived portfolio of container-centric Tanzu products.
The rebadged event will run in a familiar late August slot in San Francisco, then visit Barcelona in early November. Four smaller Explore events will visit Brazil, Singapore, Japan, and China later that month.
One other thing to be miffed about: despite the FAQ clearly indicating that VMworld has been "transformed", VMware Explore is being treated as an entirely new event. As a consequence, event alumni status has ended – presumably taking with it VMworld attendance streaks. Your correspondent attended 11 VMworlds on the bounce before a certain virus intervened. Now it's back to square one. ®
- Advanced persistent threat
- Black Hat
- Bug Bounty
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Remote Access Trojan
- Trusted Platform Module
- Zero trust