VMSA-2021-0030:VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities
23626
15 December 2021
16 December 2021
CLOSED
MEDIUM
5.5-6.6
CVE-2021-22056,CVE-2021-22057
1. Impacted Products
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation (Cloud Foundation)
- vRealize Suite Lifecycle Manager
2. Introduction
Multiple vulnerabilities were privately reported to VMware. Patches are available to address this vulnerability in affected VMware products.
3a. Server Side Request Forgery vulnerability in VMware Workspace ONE Access (CVE-2021-22056)
Description
VMware Workspace ONE Access and Identity Manager, contain a Server Side Request Forgery. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 5.5.
Known Attack Vectors
A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.
Resolution
Fixes for CVE-2021-22056 are documented in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
None
Additional Documentation
None
Notes
[1] The patches listed in the "Fixed Version" column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.
[2] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[3] vRealize Automation 7.6 is affected since it uses embedded vIDM.
Acknowledgements
VMware would like to thank Shubham Shah of Assetnote and Keiran Sampson for reporting this issue to us.
3b.Authentication bypass vulnerability in VMware Workspace ONE Access (CVE-2021-22057)
Description
VMware Workspace ONE Access contains an authentication bypass vulnerability, impacting VMware Verify two factor authentication. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 6.6.
Known Attack Vectors
A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
Resolution
Fixes for CVE-2021-22057 are documented in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
[1] The patches listed in the "Fixed Version" column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.
Acknowledgements
None.
Response Matrix:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version [1] | Workarounds | Additional Documentation |
| Access | 21.08.0.1 | Linux | CVE-2021-22056, CVE-2021-22057 | 5.5, 6.6 | moderate | Unaffected | N/A | N/A |
| Access | 21.08 | Linux | CVE-2021-22056, CVE-2021-22057 | 5.5, 6.6 | moderate | None | None | |
| Access | 20.10.0.1 | Linux | CVE-2021-22056, CVE-2021-22057 | 5.5, 6.6 | moderate | None | None | |
| Access | 20.10 | Linux | CVE-2021-22056, CVE-2021-22057 | 5.5, 6.6 | moderate | None | None | |
| vIDM | 3.3.5 | Linux | CVE-2021-22056 | 5.5 | moderate | None | None | |
| vIDM | 3.3.4 | Linux | CVE-2021-22056 | 5.5 | moderate | None | None | |
| vIDM | 3.3.3 | Linux | CVE-2021-22056 | 5.5 | moderate | None | None | |
| vRealize Automation [2] | 8.x | Linux | CVE-2021-22056 | 5.5 | moderate | Unaffected | N/A | N/A |
| vRealize Automation (vIDM) [3] | 7.6 | Linux | CVE-2021-22056 | 5.5 | moderate | None | None |
Impacted Product Suites that Deploy Response Matrix Components:
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Foundation (vIDM) | 4.x | Any | CVE-2021-22056 | 5.5 | moderate | None | None | |
| VMware Cloud Foundation (vRA) | 3.x | Any | CVE-2021-22056 | 5.5 | moderate | None | None | |
| vRealize Suite Lifecycle Manager (vIDM) | 8.x | Any | CVE-2021-22056 | 5.5 | moderate | None | None |
4. References
Fixed Version:
VMware Workspace ONE Access 21.08.0.1
https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08.0.1/rn/vmware-workspace-one-access-210801-release-notes/index.html
VMware Workspace ONE Access 21.08, 20.10.0.1, 20.10
https://kb.vmware.com/s/article/87183
VMware Identity Manager (vIDM) 3.3.5, 3.3.4, 3.3.3
https://kb.vmware.com/s/article/87185
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22057
FIRST CVSSv3 Calculator:
CVE-2021-22056 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
CVE-2021-22057 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
5. Change Log
2021-12-17 VMSA-2021-0030
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
E-mail: [email protected]
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2021 VMware Inc. All rights reserved.