VMware have released fixes for multiple vulnerabilities that have been privately reported to them. They have provided patches and workarounds to address the issues found. As always, we advise customers to apply the patches as soon as possible.
1. Impacted Products
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities were privately reported to VMware. Patches and workarounds are available to address these vulnerabilities in affected VMware products.
3a. Host header tampering leading to server side request on internal restricted service (CVE-2021-22002)
Description
VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. VMware has evaluated this issue to be of ‘Important‘ severity with a maximum CVSSv3 base score of 8.6.
Known Attack Vectors
A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.
Resolution
Fixes for CVE-2021-22002 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
Workarounds for CVE-2021-22002 are documented in the ‘Workarounds’ column of the ‘Response Matrix’ below.
Additional Documentation
KB70911 “Cumulative Update for vRealize Automation 7.6” provides a link to download vRealize Automation 7.6 Patch 23, which includes a fix for this vulnerability.
Notes
[1] vRealize Automation 7.6 is affected since it uses embedded vIDM. [2] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.Acknowledgements
VMware would like to thank Suleyman Bayir of Trendyol and Mehmet İnce of PRODAFT SARL for reporting this issue to us.
3b. Information Disclosure Vulnerability (CVE-2021-22003)
Description
VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. VMware has evaluated this issue to be of ‘Low‘ severity with a maximum CVSSv3 base score of 3.7.
Known Attack Vectors
A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may not be practical based on lockout policy configuration and password complexity for the target account.
Resolution
Fixes for CVE-2021-22003 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
Workarounds
None.
Additional Documentation
None.
Notes
[2] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.Acknowledgements
None.
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
Access | 20.10.01 | Linux | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
Access | 20.10 | Linux | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
Access | 20.01 | Linux | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
vIDM | 3.3.5 | Linux | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
vIDM | 3.3.4 | Linux | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
vIDM | 3.3.3 | Linux | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
vIDM | 3.3.2 | Linux | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
vRealize Automation [2] | 8.x | Linux | CVE-2021-22002, CVE-2021-22003 | N/A | N/A | Unaffected | N/A | N/A |
vRealize Automation (vIDM) [1] | 7.6 | Linux | CVE-2021-22002 | 8.6 | Important | vRA 7.6 Patch 23 | KB85255 | KB70911 |
vRealize Automation (vIDM) | 7.6 | Linux | CVE-2021-22003 | N/A | N/A | Unaffected | N/A | N/A |
Impacted Product Suites that Deploy Response Matrix Components:
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Cloud Foundation (vIDM) | 4.x | Any | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2021-22002, CVE-2021-22003 | 8.6, 3.7 | Important | KB85254 | None | None |
4. References
Fixed Version:
https://kb.vmware.com/s/article/85254
https://kb.vmware.com/s/article/70911
Workarounds:
https://kb.vmware.com/s/article/85255
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22003
FIRST CVSSv3 Calculator:
CVE-2021-22002 – https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE-2021-22003 – https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5. Change Log
2021-08-05 VMSA-2021-0016
Initial Security Advisory.
2021-08-12 VMSA-2021-0016.1
Added VMware Workspace ONE Access 20.01 to Response Matrix.
2021-11-12 VMSA-2021-0016.2
Added vRealize Automation 7.6 Patch 23 to Response Matrix.