VMSA-2023-0025

Important

Advisory ID: VMSA-2023-0025

CVSSv3 Range: 8.8

Issue Date: 2023-10-31

Updated On: 2023-10-31 (Initial Advisory)

CVE(s): CVE-2023-20886

Synopsis: VMware Workspace ONE UEM console updates address an open redirect vulnerability (CVE-2023-20886)

1. Impacted Products

VMware Workspace ONE UEM console

2. Introduction

An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. Advisory Details

Description

VMware Workspace ONE UEM console contains an open redirect vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

Known Attack Vectors

A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.

Resolution

To remediate CVE-2023-20886 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank D'Angelo Gonzalez of Crowdstrike for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Workspace ONE UEM	2306	Any	CVE-2023-20886	N/A	N/A	Unaffected	N/A	N/A
Workspace ONE UEM	2302	Any	CVE-2023-20886	8.8	important	23.2.0.10	None	None
Workspace ONE UEM	2212	Any	CVE-2023-20886	8.8	important	22.12.0.20	None	None
Workspace ONE UEM	2209	Any	CVE-2023-20886	8.8	important	22.9.0.29	None	None
Workspace ONE UEM	2206	Any	CVE-2023-20886	8.8	important	22.6.0.36	None	None
Workspace ONE UEM	2203	Any	CVE-2023-20886	8.8	important	22.3.0.48	None	None

4. References

VMware Workspace ONE UEM Release Notes:
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/rn/Workspace-ONE-Product.html

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20886

FIRST CVSSv3 Calculator:
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

5. Change Log

2023-10-31: VMSA-2023-0025
Initial security advisory.

6. Contact

E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
https://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. Multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations.

Conquer Cloud Chaos with VMware Cross-Cloud services

Anywhere Workspace

App Platform

Cloud & Edge Infrastructure

Cloud Management

Desktop Hypervisor

Security & Networking

Run VMware on any Cloud. Any Environment. Anywhere.

On Public & Hybrid Clouds

On Private & Local Clouds

Solutions

Anywhere Workspace
Access Any App on Any Device Securely

App Platform
Build and Operate Cloud Native Apps

Cloud Infrastructure
Run Enterprise Apps Anywhere

Cloud Management
Automate and Optimize Apps and Clouds

Edge Infrastructure
Enable the Multi-Cloud Edge

Networking
Enable Connectivity for Apps and Clouds

Security
Secure Apps and Clouds

By Industry

VMware AI Solutions

For Customers

For Partners

Working Together with Partners for Customer Success

Tools & Training

Services

Support

Marketplace

Videos

Blogs & Communities

Customers

Events

1. Impacted Products

2. Introduction

3. Advisory Details

4. References

5. Change Log

6. Contact

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. Multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations.

Conquer Cloud Chaos with VMware Cross-Cloud services

Anywhere Workspace

App Platform

Cloud & Edge Infrastructure

Cloud Management

Desktop Hypervisor

Security & Networking

Run VMware on any Cloud. Any Environment. Anywhere.

On Public & Hybrid Clouds

On Private & Local Clouds

Solutions

Anywhere Workspace Access Any App on Any Device Securely

App Platform Build and Operate Cloud Native Apps

Cloud Infrastructure Run Enterprise Apps Anywhere

Cloud Management Automate and Optimize Apps and Clouds

Edge Infrastructure Enable the Multi-Cloud Edge

Networking Enable Connectivity for Apps and Clouds

Security Secure Apps and Clouds

By Industry

VMware AI Solutions

For Customers

For Partners

Working Together with Partners for Customer Success

Tools & Training

Services

Support

Marketplace

Videos

Blogs & Communities

Customers

Events

1. Impacted Products

2. Introduction

3. Advisory Details

4. References

5. Change Log

6. Contact

Anywhere Workspace
Access Any App on Any Device Securely

App Platform
Build and Operate Cloud Native Apps

Cloud Infrastructure
Run Enterprise Apps Anywhere

Cloud Management
Automate and Optimize Apps and Clouds

Edge Infrastructure
Enable the Multi-Cloud Edge

Networking
Enable Connectivity for Apps and Clouds

Security
Secure Apps and Clouds