Take Control of Your
Multi-Cloud Environment

VMware Workspace ONE UEM console

A cross-site scripting vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. 

VMware Workspace ONE UEM console does not validate an incoming request during device enrollment.VMware has evaluated the severity of this issue to be in the low
 severity range with a maximum CVSSv3 base score of 3.7.

A malicious actor may be able to inject code or redirect a user to another site during the enrollment process.

To remediate CVE-2021-21990, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

None.

None.

None.

VMware would like to thank Mr. Lauritz Holtmann and Mr. Leif Enders of usd AG for reporting this issue to us.

Fixed Version(s) and Release Notes:

VMware Workspace ONE UEM console 2102 - On-Prem
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html#21-2-0-8-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2101 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2101/rn/Workspace-ONE-UEM-2101-Release-Notes.html#21-1-0-14-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2011 - On-Prem

https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html#20-11-0-27-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2010 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2010/rn/VMware-Workspace-ONE-UEM-Release-Notes-2010.html#20-10-0-16-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2008 - On-Prem

https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/rn/VMware-Workspace-ONE-UEM-Release-Notes-2008.html#20-8-0-28-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2007 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2007/rn/VMware-Workspace-ONE-UEM-Release-Notes-2007.html#20-7-0-14-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2006 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2006/rn/VMware-Workspace-ONE-UEM-Release-Notes-2006.html#20-6-0-19-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2005 - On-Prem

https://resources.workspaceone.com/view/3s4wvw2b3wp5mfs3y8s7/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2005/rn/VMware-Workspace-ONE-UEM-Release-Notes-2005.html#20-5-0-46-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2004 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2004/rn/VMware-Workspace-ONE-UEM-Release-Notes-2004.html#20-4-0-21-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 2003 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2003/rn/VMware-Workspace-ONE-UEM-Release-Notes-2003.html#20-3-0-23-patch-resolved-issue-resolved

VMware Workspace ONE UEM console 2001 - On-Prem

https://resources.workspaceone.com/view/zmbk3nnwjhfr8jhkhyjc/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/rn/VMware-Workspace-ONE-UEM-Release-Notes-2001.html#20-1-0-32-patch-resolved-issues-resolved

VMware Workspace ONE UEM console 1912 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1912/rn/VMware

Additional Documentation

None

Mitre CVE Dictionary Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21990

FIRST CVSSv3 Calculator

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

2021-05-11: VMSA-2021-21990
Initial security advisory.

E-mail list for product security notifications and announcements:

https://lists.vmware.com/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2020 VMware Inc. All rights reserved.