VMware Security Announcement VMSA-2021-0016 CVSSv3 Score 3.7-8.6 Important

A new security advisory recently released by VMware VMSA-2021-0016. This affects VMware Workspace ONE Access, Identity Manager and vRealize Automation. The updates address multiple vulnerabilities (CVE-2021-22002, CVE-2021-22003)

Impacted Products
  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager
Introduction

Multiple vulnerabilities were privately reported to VMware. Patches and workarounds are available to address these vulnerabilities in affected VMware products.

Host header tampering leading to server side request on internal restricted service (CVE-2021-22002)

Description

VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6.

Known Attack Vectors

A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.

Resolution

Use KB85254, Link will be provided below

Use KB85254, Link will be provided below

Use KB85254, Link will be provided below

Use KB85254, Link will be provided below

Use KB85254, Link will be provided below

Use KB85254, Link will be provided below

Use KB85254, Link will be provided below

Unaffected

Use KB85255 as a workaround, Link will be provided below

Unaffected

Use KB85254, Link will be provided below

Use KB85254, Link will be provided below

References

Fixed Version:

https://kb.vmware.com/s/article/85254

Workarounds:

https://kb.vmware.com/s/article/85255