Moderate
1. Impacted Products
- Workspace ONE SDK
- Workspace ONE Boxer
- Workspace ONE Content
- Workspace ONE SDK Plugin for Apache Cordova
- Workspace ONE Intelligent Hub
- Workspace ONE Notebook
- Workspace ONE People
- Workspace ONE PIV-D
- Workspace ONE Web
- Workspace ONE SDK Plugin for Xamarin
2. Introduction
A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
3. VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability (CVE-2020-3940)
Description
VMware Workspace ONE SDK and dependent mobile applications do not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.8.
Known Attack Vectors
A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.
Resolution
To remediate CVE-2020-3940, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
None.
Response Matrix
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
Workspace ONE SDK
|
19.x.y
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE SDK (Objective-C)
|
5.9.9.x
|
iOS
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE SDK (Swift)
|
Any
|
iOS
|
CVE-2020-3940
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
Workspace ONE Boxer
|
Any
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE Boxer
|
Any
|
iOS
|
CVE-2020-3940
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
Workspace ONE Content
|
Any
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE Content
|
Any
|
iOS
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE SDK Plugin for Apache Cordova
|
Any
|
Any
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE Intelligent Hub
|
Any
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE Intelligent Hub
|
Any
|
iOS
|
CVE-2020-3940
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
Workspace ONE Notebook
|
Any
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE Notebook
|
Any
|
iOS
|
CVE-2020-3940
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
Workspace ONE People
|
Any
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE People
|
Any
|
iOS
|
CVE-2020-3940
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
Workspace ONE PIV-D
|
Any
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE PIV-D
|
Any
|
iOS
|
CVE-2020-3940
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
Workspace ONE Web
|
Any
|
Android
|
CVE-2020-3940
|
None
|
None
|
|||
Workspace ONE Web
|
Any
|
iOS
|
CVE-2020-3940
|
N/A
|
N/A
|
Unaffected
|
N/A
|
N/A
|
Workspace ONE SDK Plugin for Xamarin
|
Any
|
Any
|
CVE-2020-3940
|
None
|
None
|
4. References
Fixed Version(s) and Release Notes:
Workspace ONE SDK for Android
Workspace ONE SDK for iOS (Objective-C)
Workspace ONE Boxer for Android
Workspace ONE Content for Android
Workspace ONE Content for iOS
Workspace ONE SDK Plugin for Apache Cordova
Workspace ONE Intelligent Hub for Android
Workspace ONE Notebook for Android
Workspace ONE People for Android
https://kb.vmware.com/s/article/76713
Workspace ONE PIV-D for Android
Workspace ONE Web for Android
Workspace ONE SDK Plugin for Xamarin
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3940
FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
5. Change Log
2019-01-09 : VMSA-2020-0001
Initial security advisory on 2020-01-09.
6. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.htmlVMware
Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2020 VMware Inc. All rights reserved.