CVE-2022-22957: 
Workspace ONE Access Connector vulnerability analysis and mitigation

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability (CVE-2022-22957) that was disclosed on April 13, 2022. The vulnerability affects multiple versions of VMware products including Workspace ONE Access (versions 21.08.0.0/0.1 and 20.10.0.0/0.1), Identity Manager (versions 3.3.3-3.3.6), and vRealize Automation 7.6. This vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High severity) (NVD).

The vulnerability is classified as a deserialization of untrusted data issue (CWE-502). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution. The vulnerability can be exploited through the dbCheck method inside the com.vmware.horizon.rest.controller.system.DBConnectionCheckController class, where an attacker-controlled jdbcUrl parameter can lead to arbitrary JDBC URI connections (AttackerKB).

Successful exploitation of this vulnerability allows an attacker with administrative access to execute arbitrary code on the affected system. The vulnerability has high impacts on confidentiality, integrity, and availability of the system, as indicated by its CVSS metrics (VMware Advisory).

VMware has released patches to address this vulnerability. Users are advised to apply the patches listed in the 'Fixed Version' column of the Resolution Matrix in the VMware Security Advisory. The fixes are available through KB88099, and temporary workarounds are documented in KB88098 (VMware Advisory).