CVE-2022-22958 - Remote Code Execution in VMware Workspace ONE Access—How Attackers Exploit Deserialization in JDBC URIs

Earlier this year, VMware announced two dangerous vulnerabilities (CVE-2022-22957 & CVE-2022-22958) in some of their most widely used products: Workspace ONE Access, Identity Manager, and vRealize Automation. These security bugs allow attackers with admin access to take full control of vulnerable systems—easily running malicious code as if they were part of your team. In this post, I’ll break down how this exploit works, include demo code snippets, and point you to all must-read resources.

VMware vRealize Automation

If you have any of these exposed, especially to the internet, you should assume attackers are scanning and exploiting them.

What Are CVE-2022-22957 and CVE-2022-22958?

Both are remote code execution (RCE) vulnerabilities that exploit insecure deserialization. Here, untrusted data is passed into backend Java components, letting hackers plant and run malware.

The central issue is how these apps let admins configure connections to databases using JDBC (Java Database Connectivity) URIs. With crafted settings, attackers can trick the app into *deserializing* malicious data—handing them the keys to the kingdom.

Example: Exploit Code Snippet

Let’s see a basic demo of how a malicious JDBC URI might look. Attackers leverage known gadget chains (like those from the *ysoserial* toolkit):

# Generate a malicious serialized Java object payload that opens calculator
java -jar ysoserial.jar CommonsCollections1 "calc.exe" > shell_payload.ser

Now encode the file as BASE64 and craft a JDBC string like this (illustrative)

jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'base64://<payload_base64_here>'

Attackers might use JNDI endpoints to fetch remote code.

- Or abuse H2’s RUNSCRIPT/SCRIPT features to inject payloads.

Remember: The attack is triggered whenever the Java backend parses this new connection string (such as at app restart, or after admin saves the config).

Proof-of-Concept Payload (Pseudo-code)

Below is an illustrative example how a vulnerable application might be tricked, showing the core Java operation:

// Simplified snippet vulnerable to insecure JDBC deserialization
String jdbcUrl = request.getParameter("database_uri"); // User input!
Connection conn = DriverManager.getConnection(jdbcUrl, "user", "password");

Attackers submit a “jdbcUrl” that forces Java to load and execute attacker’s serialized object.

vRealize Automation 7.6, 8.x

Check your app’s version and *patch immediately.*

Get VMware’s security patches NOW:

VMware Advisory VMSA-2022-0011

References for Further Reading

- Original VMware advisory: VMSA-2022-0011 (CVE-2022-22957, CVE-2022-22958)
- NIST NVD Entry for CVE-2022-22958
- NIST NVD Entry for CVE-2022-22957
- Official VMware Fixes
- Technical analysis by Rapid7

Summary

CVE-2022-22958 (and twin CVE-2022-22957) highlight the dangers of insecure deserialization in enterprise Java applications. In short: if you’re exposing VMware admin portals, or haven’t patched recently, attackers can easily hijack your servers with a single admin login. This attack isn’t theoretical—VMware’s products are highly targeted because of their reach across IT, cloud, and authentication. Patch first, ask questions later!

Have questions or need more details? Sound off in the comments or check the links above for deep-dives and technical writeups.


*Stay safe—don’t let attackers get in through your admin backdoors!*

Timeline

Published on: 04/13/2022 18:15:00 UTC
Last modified on: 04/21/2022 14:57:00 UTC