VMware Security Announcement VMSA-2021-0017 CVSSv3 Score 5.3 Moderate

New Security advisory recently released, this affects VMware Workspace ONE UEM console. The patches address a denial of service vulnerability (CVE-2021-22029)

Impacted Products
  • VMware Workspace ONE UEM console
Introduction

A denial of service vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.

Advisory Details

Description

VMware Workspace ONE UEM REST API contains a denial of service vulnerability. VMware has evaluated this issue to be of 'Moderate' severity with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate limiting.

Resolution

For VMware Workspace ONE UEM console version 2015, apply fixed version 21.5.0.2. Download links are provided below.

For VMware Workspace ONE UEM console version 2102, apply fixed version 21.2.0.14. Download links are provided below.

For VMware Workspace ONE UEM console version 2011, apply fixed version 20.11.0.30. Download links are provided below.

For VMware Workspace ONE UEM console version 2008, apply fixed version 20.0.8.32. Download links are provided below.

For VMware Workspace ONE UEM console version 2005, apply fixed version 20.5.0.51. Download links are provided below.

For VMware Workspace ONE UEM console version 2001, apply fixed version 20.1.0.33. Download links are provided below.

Additional Documentation

A Knowledge Base article, with information relating to /API/system/admins/session is located here FCA-197012 – Workspace ONE UEM API ‘/admins/session’ removed (85428) (vmware.com)

References

Fixed Version(s) and Release Notes:

VMware Workspace ONE UEM console 2105
https://resources.workspaceone.com/view/7xw2l35h6fc2pyfjgcnx/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2105/rn/Workspace-ONE-UEM-2105-Release-Notes.html

VMware Workspace ONE UEM console 2102
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html

VMware Workspace ONE UEM console 2011
https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html

VMware Workspace ONE UEM console 2008
https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/rn/VMware-Workspace-ONE-UEM-Release-Notes-2008.html

VMware Workspace ONE UEM console 2005
https://resources.workspaceone.com/view/3s4wvw2b3wp5mfs3y8s7/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2005/rn/VMware-Workspace-ONE-UEM-Release-Notes-2005.html

VMware Workspace ONE UEM console 2001
https://resources.workspaceone.com/view/zmbk3nnwjhfr8jhkhyjc/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/rn/VMware-Workspace-ONE-UEM-Release-Notes-2001.html

Here is the link to the official advisory.

VMSA-2021-0017 (vmware.com)

Happy Patching!