Distributed Workforce, Vulnerability Management

Security updates released for critical bugs in VMware’s Workspace ONE Assist

VMware sign
The sign for the VMware headquarters in Palo Alto, Calif. ("VMware headquarters" by Ferran Rodenas is licensed under CC BY-NC-SA 2.0.)

VMware released security updates Tuesday for three critical vulnerabilities in its Workspace ONE Assist product, which allows IT and help desk staff to remotely support employees.

Three of the vulnerabilities allowed a malicious actor with network access to Workspace ONE Assist to obtain administrative access without the need to authenticate to the application. The flaws are tracked as CVE-2022-31685 (authentication bypass vulnerability), CVE-2022-31686 (broken authentication method vulnerability), and CVE-2022-31687 (broken access control vulnerability). 

Also fixed in the security update for Workspace ONE Assist were two moderate vulnerabilities — one a reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688), and the other a session fixation vulnerability due to improper handling of session tokens (CVE-2022-31689).

All of the vulnerabilities were reported by staff members of Dutch firm Reqon IT-Security. 

See VMware’s advisory for more information on the vulnerabilities.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.