VMSA-2020-0001

Moderate

Advisory ID: VMSA-2020-0001

CVSSv3 Range: 6.8

Issue Date: 2020-01-09

Updated On: 2020-01-09 (Initial Advisory)

CVE(s): CVE-2020-3940

Synopsis: VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability (CVE-2020-3940)

1. Impacted Products

Workspace ONE SDK
Workspace ONE Boxer
Workspace ONE Content
Workspace ONE SDK Plugin for Apache Cordova
Workspace ONE Intelligent Hub
Workspace ONE Notebook
Workspace ONE People
Workspace ONE PIV-D
Workspace ONE Web
Workspace ONE SDK Plugin for Xamarin

2. Introduction

A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3. VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability (CVE-2020-3940)

Description

VMware Workspace ONE SDK and dependent mobile applications do not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.8.

Known Attack Vectors

A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.

Resolution

To remediate CVE-2020-3940, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

None.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Workspace ONE SDK	19.x.y	Android	CVE-2020-3940	6.8	moderate	19.11.1	None	None
Workspace ONE SDK (Objective-C)	5.9.9.x	iOS	CVE-2020-3940	6.8	moderate	5.9.9.8	None	None
Workspace ONE SDK (Swift)	Any	iOS	CVE-2020-3940	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE Boxer	Any	Android	CVE-2020-3940	6.8	moderate	5.13.1	None	None
Workspace ONE Boxer	Any	iOS	CVE-2020-3940	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE Content	Any	Android	CVE-2020-3940	6.8	moderate	3.2.1	None	None
Workspace ONE Content	Any	iOS	CVE-2020-3940	6.8	moderate	4.2	None	None
Workspace ONE SDK Plugin for Apache Cordova	Any	Any	CVE-2020-3940	6.8	moderate	1.5.1	None	None
Workspace ONE Intelligent Hub	Any	Android	CVE-2020-3940	6.8	moderate	19.11.1	None	None
Workspace ONE Intelligent Hub	Any	iOS	CVE-2020-3940	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE Notebook	Any	Android	CVE-2020-3940	6.8	moderate	1.2.1	None	None
Workspace ONE Notebook	Any	iOS	CVE-2020-3940	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE People	Any	Android	CVE-2020-3940	6.8	moderate	1.3.2	None	None
Workspace ONE People	Any	iOS	CVE-2020-3940	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE PIV-D	Any	Android	CVE-2020-3940	6.8	moderate	1.4.2	None	None
Workspace ONE PIV-D	Any	iOS	CVE-2020-3940	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE Web	Any	Android	CVE-2020-3940	6.8	moderate	7.10.8	None	None
Workspace ONE Web	Any	iOS	CVE-2020-3940	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE SDK Plugin for Xamarin	Any	Any	CVE-2020-3940	6.8	moderate	1.4.1	None	None