Moderate

VMSA-2021-0030
5.5-6.6
2021-12-17
2021-12-17 (Initial Advisory)
CVE-2021-22056, CVE-2021-22057
VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057)

Share this page on social media

Sign up for Security Advisories

1. Impacted Products
  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
2. Introduction

Multiple vulnerabilities were privately reported to VMware. Patches are available to address this vulnerability in affected VMware products.  

3a. Server Side Request Forgery vulnerability in VMware Workspace ONE Access (CVE-2021-22056)

Description

VMware Workspace ONE Access and Identity Manager, contain a Server Side Request Forgery. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 5.5.

Known Attack Vectors

A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.

Resolution

Fixes for CVE-2021-22056 are documented in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None

Additional Documentation

None

Notes

[1] The patches listed in the "Fixed Version" column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.
[2] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[3] vRealize Automation 7.6 is affected since it uses embedded vIDM.

Acknowledgements

VMware would like to thank Shubham Shah of Assetnote and Keiran Sampson for reporting this issue to us.

3b.Authentication bypass vulnerability in VMware Workspace ONE Access (CVE-2021-22057)

Description

VMware Workspace ONE Access contains an authentication bypass vulnerability, impacting VMware Verify two factor authentication. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 6.6.

Known Attack Vectors

A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.

Resolution

Fixes for CVE-2021-22057 are documented in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

[1] The patches listed in the "Fixed Version" column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.

Acknowledgements

None.

Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version [1] Workarounds Additional Documentation
Access
21.08.0.1
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
Unaffected
N/A
N/A
Access
21.08
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
None
None
Access
20.10.0.1
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
None
None
Access
20.10
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
None
None
vIDM
3.3.5
Linux
CVE-2021-22056
5.5
moderate
None
None
vIDM
3.3.4
Linux
CVE-2021-22056
5.5
moderate
None
None
vIDM
3.3.3
Linux
CVE-2021-22056
5.5
moderate
None
None
vRealize Automation [2]
8.x
Linux
CVE-2021-22056
5.5
moderate
Unaffected
N/A
N/A
vRealize Automation (vIDM) [3]
7.6
Linux
CVE-2021-22056
5.5
moderate
None
None

Impacted Product Suites that Deploy Response Matrix Components:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Cloud Foundation (vIDM)
4.x
Any
CVE-2021-22056
5.5
moderate
None
None
VMware Cloud Foundation (vRA)
3.x
Any
CVE-2021-22056
5.5
moderate
None
None
vRealize Suite Lifecycle Manager (vIDM)
8.x
Any
CVE-2021-22056
5.5
moderate
None
None
4. References
5. Change Log

2021-12-17 VMSA-2021-0030
Initial security advisory.

 

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2021 VMware Inc. All rights reserved.