VMSA-2021-0008

Main Menu

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. Multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations.

LEARN ABOUT MULTI-CLOUD

Conquer Cloud Chaos with VMware Cross-Cloud services

VMware is addressing cloud chaos with our portfolio of multi-cloud services, VMware Cross-Cloud services, which enable you to build, run, manage, secure, and access applications consistently across cloud environments.

With VMware Cross-Cloud services, you can address cloud chaos and shift to a cloud smart approach – one where you can choose the best environment for every application, without multiplying your complexity.

LEARN HOW CROSS-CLOUD SERVICES CAN HELP

Low

Advisory ID: VMSA-2021-0008

CVSSv3 Range: 3.7

Issue Date: 2021-05-11

Updated On: 2021-05-11 (Initial Advisory)

CVE(s): CVE-2021-21990

Synopsis: VMware Workspace ONE UEM console patches address a cross-site scripting vulnerability (CVE-2021-21990)

1. Impacted Products

VMware Workspace ONE UEM console

2. Introduction

A cross-site scripting vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.

3. Cross Site Scripting (XSS) vulnerability in VMware Workspace ONE UEM console (CVE-2021-21990)

Description

VMware Workspace ONE UEM console does not validate an incoming request during device enrollment.VMware has evaluated the severity of this issue to be in the low
severity range with a maximum CVSSv3 base score of 3.7.

Known Attack Vectors

A malicious actor may be able to inject code or redirect a user to another site during the enrollment process.

Resolution

To remediate CVE-2021-21990, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Mr. Lauritz Holtmann and Mr. Leif Enders of usd AG for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware Workspace ONE UEM console	1912	Any	CVE-2021-21990	3.7	low	19.12.0.24	None	None
VMware Workspace ONE UEM console	2001	Any	CVE-2021-21990	3.7	low	20.1.0.32	None	None
VMware Workspace ONE UEM console	2003	Any	CVE-2021-21990	3.7	low	20.3.0.23	None	None
VMware Workspace ONE UEM console	2004	Any	CVE-2021-21990	3.7	low	20.4.0.21	None	None
VMware Workspace ONE UEM console	2005	Any	CVE-2021-21990	3.7	low	20.5.0.46	None	None
VMware Workspace ONE UEM console	2006	Any	CVE-2021-21990	3.7	low	20.6.0.19	None	None
VMware Workspace ONE UEM console	2007	Any	CVE-2021-21990	3.7	low	20.7.0.14	None	None
VMware Workspace ONE UEM console	2008	Any	CVE-2021-21990	3.7	low	20.8.0.28	None	None
VMware Workspace ONE UEM console	2010	Any	CVE-2021-21990	3.7	low	20.10.0.16	None	None
VMware Workspace ONE UEM console	2011	Any	CVE-2021-21990	3.7	low	20.11.0.27	None	None
VMware Workspace ONE UEM console	2101	Any	CVE-2021-21990	3.7	low	21.1.0.14	None	None
VMware Workspace ONE UEM console	2102	Any	CVE-2021-21990	3.7	low	21.2.0.8	None	None

4. References

Fixed Version(s) and Release Notes:

VMware Workspace ONE UEM console 2102 - On-Prem
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html#21-2-0-8-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2101 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2101/rn/Workspace-ONE-UEM-2101-Release-Notes.html#21-1-0-14-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2011 - On-Prem

https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html#20-11-0-27-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2010 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2010/rn/VMware-Workspace-ONE-UEM-Release-Notes-2010.html#20-10-0-16-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2008 - On-Prem

https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/rn/VMware-Workspace-ONE-UEM-Release-Notes-2008.html#20-8-0-28-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2007 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2007/rn/VMware-Workspace-ONE-UEM-Release-Notes-2007.html#20-7-0-14-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2006 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2006/rn/VMware-Workspace-ONE-UEM-Release-Notes-2006.html#20-6-0-19-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2005 - On-Prem

https://resources.workspaceone.com/view/3s4wvw2b3wp5mfs3y8s7/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2005/rn/VMware-Workspace-ONE-UEM-Release-Notes-2005.html#20-5-0-46-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2004 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2004/rn/VMware-Workspace-ONE-UEM-Release-Notes-2004.html#20-4-0-21-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2003 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2003/rn/VMware-Workspace-ONE-UEM-Release-Notes-2003.html#20-3-0-23-patch-resolved-issue-resolved

VMware Workspace ONE UEM console 2001 - On-Prem

https://resources.workspaceone.com/view/zmbk3nnwjhfr8jhkhyjc/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/rn/VMware-Workspace-ONE-UEM-Release-Notes-2001.html#20-1-0-32-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 1912 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1912/rn/VMware

Additional Documentation

None

Mitre CVE Dictionary Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21990

FIRST CVSSv3 Calculator

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

5. Change Log

2021-05-11: VMSA-2021-21990
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

https://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2020 VMware Inc. All rights reserved.