====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN267
_____________________________________________________________________

DATE                : 11/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Workspace ONE UEM console
                      versions prior to 19.12.0.24, 20.1.0.32,
                       20.3.0.23, 20.4.0.21, 20.5.0.46, 20.6.0.19,
                       20.7.0.14, 20.8.0.28, 20.10.0.16, 20.11.0.27,
                       21.1.0.14, 21.2.0.8.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2021-0008.html
_____________________________________________________________________

Low


Advisory ID:      VMSA-2021-0008
CVSSv3 Range:     3.7
Issue Date:       2021-05-11
Updated On:       2021-05-11 (Initial Advisory)
CVE(s):           CVE-2021-21990


Synopsis:
VMware Workspace ONE UEM console patches address a Cross-site scripting
vulnerability (CVE-2021-21990)


1. Impacted Products

VMware Workspace ONE UEM console


2. Introduction

A cross-site scripting vulnerability in VMware Workspace ONE UEM console
was privately reported to VMware. Patches are available to remediate
this vulnerability in affected VMware products.


3. Cross Site Scripting (XSS) vulnerability in VMware Workspace ONE UEM
console (CVE-2021-21990)


Description

VMware Workspace ONE UEM console does not validate an incoming request
during device enrollment.VMware has evaluated the severity of this issue
to be in the low severity range with a maximum CVSSv3 base score of 3.7.


Known Attack Vectors

A malicious actor may be able to inject a script or redirect a user to
another site during the enrollment process.


Resolution

To remediate CVE-2021-21990, apply the patches listed in the 'Fixed
Version' column of the 'Resolution Matrix' found below.


Workarounds

None.


Additional Documentation

None.

Notes

Patches have been applied in shared SaaS environments.


Acknowledgements

VMware would like to thank Mr. Lauritz Holtmann and Mr. Leif Enders of
usd AG for reporting this issue to us.


Response Matrix

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

VMware Workspace ONE UEM console    1912    Any    CVE-2021-21990    3.7
	low    19.12.0.24    None     None

VMware Workspace ONE UEM console    2001    Any    2021-21990    3.7
low     20.1.0.32     None      None

VMware Workspace ONE UEM console    2003    Any    2021-21990    3.7
	low     20.3.0.23       None     None

VMware Workspace ONE UEM console    2004    Any    2021-21990    3.7
	low     20.4.0.21     None      None

VMware Workspace ONE UEM console    2005    Any    2021-21990    3.7
	low     20.5.0.46     None      None

VMware Workspace ONE UEM console    2006    Any    2021-21990    3.7
	low     20.6.0.19     None      None

VMware Workspace ONE UEM console    2007    Any    2021-21990    3.7
	low     20.7.0.14     None      None

VMware Workspace ONE UEM console    2008    Any    2021-21990    3.7
	low     20.8.0.28     None      None

VMware Workspace ONE UEM console    2010    Any    2021-21990    3.7
	low     20.10.0.16    None      None

VMware Workspace ONE UEM console    2011    Any    2021-21990    3.7
	low     20.11.0.27    None      None

VMware Workspace ONE UEM console    2101    Any    2021-21990    3.7
	low     21.1.0.14     None      None

VMware Workspace ONE UEM console    2102    Any    2021-21990    3.7
	low     21.2.0.8      None      None


4. References

Fixed Version(s) and Release Notes:



VMware Workspace ONE UEM console 2102 - On-Prem
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html#21-2-0-8-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2101 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2101/rn/Workspace-ONE-UEM-2101-Release-Notes.html#21-1-0-14-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2011 - On-Prem
https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html#20-11-0-27-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2010 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2010/rn/VMware-Workspace-ONE-UEM-Release-Notes-2010.html#20-10-0-16-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2008 - On-Prem
https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/rn/VMware-Workspace-ONE-UEM-Release-Notes-2008.html#20-8-0-28-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2007 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2007/rn/VMware-Workspace-ONE-UEM-Release-Notes-2007.html#20-7-0-14-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2006 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2006/rn/VMware-Workspace-ONE-UEM-Release-Notes-2006.html#20-6-0-19-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2005 - On-Prem
https://resources.workspaceone.com/view/3s4wvw2b3wp5mfs3y8s7/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2005/rn/VMware-Workspace-ONE-UEM-Release-Notes-2005.html#20-5-0-46-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2004 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2004/rn/VMware-Workspace-ONE-UEM-Release-Notes-2004.html#20-4-0-21-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 2003 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2003/rn/VMware-Workspace-ONE-UEM-Release-Notes-2003.html#20-3-0-23-patch-resolved-issue-resolved


VMware Workspace ONE UEM console 2001 - On-Prem
https://resources.workspaceone.com/view/zmbk3nnwjhfr8jhkhyjc/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/rn/VMware-Workspace-ONE-UEM-Release-Notes-2001.html#20-1-0-32-patch-resolved-issues-resolved


VMware Workspace ONE UEM console 1912 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1912/rn/VMware


Additional Documentation
None



Mitre CVE Dictionary Links
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21990


FIRST CVSSv3 Calculator
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N


5. Change Log

2021-05-11: VMSA-2021-21990
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org


E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2020 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================