VMware addresses flaws in Cloud Director allowing remote code execution

VMware announced that it has launched a patch to fix the critical security flaw in Cloud Director that could potentially enable threat actors to conduct remote code execution attacks, The Hacker News reports. The company said the flaw, which is designated CVE-2022-22966 and carries a CVSS score of 9.1, affects versions 10.1.x, 10.2.x, and 10.3.x of VMware Cloud Director, which was formerly named vCloud Director, and could allow attackers to breach users' private clouds, access private data and take them over. It relates to a remote code execution vulnerability resulting from server-side template injection in VMware Workspace ONE Access and Identity Manager. "An authenticated, high privileged malicious actor with network access to the VMware Cloud Director tenant or provider may be able to exploit a remote code execution vulnerability to gain access to the server," the company said in a statement. VMware has rolled out patches in Cloud Director's versions 10.1.4.1, 10.2.2.3, and 10.3.3 and suggested workarounds for users who cannot update their products to the recommended version for whatever reason.