
=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN414
_____________________________________________________________________

DATE                : 20/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Workspace ONE UEM console
                     versions prior to 21.5.0.2, 21.2.0.14, 20.11.0.30,
                             20.0.8.32, 20.5.0.51, 20.1.0.33.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2021-0017.html
_____________________________________________________________________

Moderate

Advisory ID:    VMSA-2021-0017
CVSSv3 Range:   5.3
Issue Date:     2021-08-19
Updated On:     2021-08-19 (Initial Advisory)
CVE(s):         CVE-2021-22029


Synopsis:       VMware Workspace ONE UEM console patches address a
                denial of service vulnerability (CVE-2021-22029)


1. Impacted Products

    VMware Workspace ONE UEM console

2. Introduction

A denial of service vulnerability in VMware Workspace ONE UEM console
was privately reported to VMware. Patches are available to remediate
this vulnerability in affected VMware products.


3. Advisory Details


Description

VMware Workspace ONE UEM REST API contains a denial of service
vulnerability. VMware has evaluated this issue to be of 'Moderate'
severity with a maximum CVSSv3 base score of 5.3.


Known Attack Vectors

A malicious actor with access to /API/system/admins/session could cause
an API denial of service due to improper rate limiting.


Resolution

Fixes for CVE-2021-22029 are documented in the 'Fixed Version' column of
the 'Response Matrix' below.


Workarounds
None.


Additional Documentation

A Knowledge Base article, with information relating to
/API/system/admins/session, is listed in the 'Additional Documentation'
column of
the 'Response Matrix' below.

Notes
None.


Acknowledgements

None.


Response Matrix

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	
Severity 	Fixed Version 	Workarounds 	Additional Documentation

VMware Workspace ONE UEM console   2105   Any   CVE-2021-22029   5.3
moderate        21.5.0.2        None             KB85428

VMware Workspace ONE UEM console   2102   Any   CVE-2021-22029   5.3
moderate        21.2.0.14       None             KB85428

VMware Workspace ONE UEM console   2011   Any   CVE-2021-22029   5.3
moderate        20.11.0.30      None              KB85428

VMware Workspace ONE UEM console   2008   Any    CVE-2021-22029   5.3
moderate        20.0.8.32       None              KB85428

VMware Workspace ONE UEM console   2005   Any    CVE-2021-22029   5.3
moderate        20.5.0.51       None              KB85428

VMware Workspace ONE UEM console   2001   Any    CVE-2021-22029   5.3
moderate        20.1.0.33       None              KB85428


4. References

Fixed Version(s) and Release Notes:


VMware Workspace ONE UEM console 2105
https://resources.workspaceone.com/view/7xw2l35h6fc2pyfjgcnx/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2105/rn/Workspace-ONE-UEM-2105-Release-Notes.html


VMware Workspace ONE UEM console 2102
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html


VMware Workspace ONE UEM console 2011
https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html


VMware Workspace ONE UEM console 2008
https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/rn/VMware-Workspace-ONE-UEM-Release-Notes-2008.html


VMware Workspace ONE UEM console 2005
https://resources.workspaceone.com/view/3s4wvw2b3wp5mfs3y8s7/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2005/rn/VMware-Workspace-ONE-UEM-Release-Notes-2005.html


VMware Workspace ONE UEM console 2001
https://resources.workspaceone.com/view/zmbk3nnwjhfr8jhkhyjc/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/rn/VMware-Workspace-ONE-UEM-Release-Notes-2001.html


Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22029


FIRST CVSSv3 Calculator:

CVE-2021-22029 -
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L


5. Change Log

2021-08-19 VMSA-2021-0017
Initial security advisory.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org


E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2021 VMware Inc. All rights reserved.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================