Cloud computing and virtualization technology company VMWare rolled out an update on Thursday to address a critical vulnerability in its Cloud Director product that could be weaponized for remote code execution attacks.
The issue that the identifier is associated with CVE-2022-22966has a CVSS score of 9.1 out of a maximum of 10. VMware credits security researcher Jari Jääskelä with reporting the bug.
“An authenticated, highly privileged malicious actor with network access to the VMware Cloud Director tenant or provider could potentially exploit a remote code execution vulnerability to gain access to the server,” VMware said in an advisory.
As the leading cloud infrastructure management platform, VMware Cloud Director (formerly vCloud Director) is used by many well-known cloud providers to operate and manage their cloud infrastructures. Half a million VMware customers use the software to power the world’s complex digital infrastructure.
The vulnerability could therefore allow attackers to gain access to sensitive data and take over private clouds within an entire infrastructure.
Affected versions include 10.1.x, 10.2.x, and 10.3.x, with fixes available in versions 10.1.4.1, 10.2.2.3, and 10.3.3. The company has also published workarounds that can be followed if an upgrade to a recommended version is not possible.
The patches come a day after exploits for another recently fixed critical bug in VMware Workspace ONE Access were discovered in the wild.
The bug (CVE-2022-22954) relates to a remote code execution vulnerability that results from server-side template injection in VMware Workspace ONE Access and Identity Manager.
As VMware products often become a lucrative target for threat actors, the update increases the urgency for organizations to apply the necessary countermeasures to prevent potential threats.