VMware vRealize Suite
Hot on the heels of the recent April 2022 VMware critical security advisory VMSA-2022-0011, which addressed eight CVEs within VMware Workspace ONE Access and VMware Identity Manager, VMware has released a new creitical security advisory VMSA-2022-0014. This advisory addresses two new security vulnerabilities (CVE-2022-22972 and CVE-2022-22973) in VMware Workspace ONE Access and VMware Identity Manager, with one rated as critical. Authentication Bypass Vulnerability - CVE-2022-22972 According to VMware, a malicious user with network access to the VMware Workspace ONE Access or VMware Identity Manager user interfaces may be able to obtain administrative access without needing to authenticate.
Those familiar with deploying VMware vRealize Suite know just how vital VMware Identity Manager (vIDM) is to support the entire deployment. For those who haven’t deployed VMware vRealize Suite, VMware Identity Manager is the centralized authentication platform integrated throughout the entire VMware vRealize Suite of products. It provides multiple directory options, including Active Directory Integrated Windows Authentication, Active Directory over LDAPS, traditional LDAP directories, and local directories. Authentication options include traditional username/password, x509 certificate/smart card, Kerberos, RSA Adaptive Authentication, RSA SecurID, and RADIUS.
Unless you’ve been living under a rock the past couple days, you’ve likely been seeing many articles regarding CVE-2021-44228 which describes a remote code execution vulnerability within Apache Log4j. Apache Log4j is a Java-based logging utility used by many applications across the world, and as such, this vulnerability is a huge issue due to how easy it is to exploit as well as the sheer number of vulnerable devices. Like most companies with Java based applications, many of VMware’s products utilize Log4j to provide application logging capabilities.
Today, VMware is introducing the new vRealize Cloud Universal subscription. With this new hybrid subscription offering, VMware is providing customers the flexibility to consume both on-premise and SaaS vRealize Suite products and services using a single subscription license. This offering allows customers the freedom to move workloads between on-premise and SaaS offerings interchangeably without the requirement to purchase new licenses. Additionally, this new offering provides access to Cloud Federated Analytics and Cloud Federated Catalog capabilities.
The annual VMworld conference always includes large product announcements, and in line with this history, VMware today has announced their intent to acquire SaltStack. Salt is a python-based open-source platform for event-driven IT automation, remote task execution, and configuration management platform that utilizes infrastructure as code. Salt originated from the need for high-speed data collection and task execution for systems administrators managing massive infrastructure scale and resulting complexity. SaltStack is the company that now maintains the Salt Open project and develops and sells SaltStack Enterprise software, services, and support.