=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN417
_____________________________________________________________________

DATE                : 20/08/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running VMware Workspace ONE Access
                      (Access), VMware Identity Manager (vIDM),
                      VMware vRealize Automation (vRA),
                      VMware Cloud Foundation,
                      vRealize Suite Lifecycle Manager.

=====================================================================
https://www.vmware.com/security/advisories/VMSA-2021-0016.html
_____________________________________________________________________

Important

Advisory ID:      VMSA-2021-0016.1
CVSSv3 Range:     3.7-8.6
Issue Date:       2021-08-05
Updated On:       2021-08-12
CVE(s):           CVE-2021-22002, CVE-2021-22003


Synopsis:
VMware Workspace ONE Access, Identity Manager and vRealize Automation
address multiple vulnerabilities (CVE-2021-22002, CVE-2021-22003)


1. Impacted Products

    VMware Workspace ONE Access (Access)
    VMware Identity Manager (vIDM)
    VMware vRealize Automation (vRA)
    VMware Cloud Foundation
    vRealize Suite Lifecycle Manager


2. Introduction

Multiple vulnerabilities were privately reported to VMware. Patches and
workarounds are available to address these vulnerabilities in affected
VMware products.

3a. Host header tampering leading to server side request on internal
restricted service (CVE-2021-22002)


Description

VMware Workspace ONE Access and Identity Manager, allow the /cfg web app
and diagnostic endpoints, on port 8443, to be accessed via port 443
using a custom host header. VMware has evaluated this issue to be of
'Important' severity with a maximum CVSSv3 base score of 8.6.

Known Attack Vectors

A malicious actor with network access to port 443 could tamper with host
headers to facilitate access to the /cfg web app, in addition a
malicious actor could access /cfg diagnostic endpoints without
authentication.

Resolution

Fixes for CVE-2021-22002 are documented in the 'Fixed Version' column of
the 'Response Matrix' below.

Workarounds

Workarounds for CVE-2021-22002 are documented in the 'Workarounds'
column of the 'Response Matrix' below.


Additional Documentation

None.


Notes

[1] vRealize Automation 7.6 is affected since it uses embedded vIDM.

[2] vRealize Automation 8.x is unaffected since it does not use embedded
vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied
directly to vIDM.

Acknowledgements

VMware would like to thank Suleyman Bayir of Trendyol and Mehmet İnce of
PRODAFT SARL for reporting this issue to us.


3b. Information Disclosure Vulnerability (CVE-2021-22003)

Description

VMware Workspace ONE Access and Identity Manager, unintentionally
provide a login interface on port 7443. VMware has evaluated this issue
to be of 'Low' severity with a maximum CVSSv3 base score of 3.7.

Known Attack Vectors

A malicious actor with network access to port 7443 may attempt user
enumeration or brute force the login endpoint, which may or may not be
practical based on lockout policy configuration and password complexity
for the target account.

Resolution

Fixes for CVE-2021-22003 are documented in the 'Fixed Version' column of
the 'Response Matrix' below.

Workarounds
None.

Additional Documentation
None.

Notes

[2] vRealize Automation 8.x is unaffected since it does not use embedded
vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied
directly to vIDM.

Acknowledgements
None.


Response Matrix:

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

Access        20.10.01       Linux    CVE-2021-22002, CVE-2021-22003
8.6, 3.7    important      KB85254    None      None

Access        20.10          Linux    CVE-2021-22002, CVE-2021-22003
8.6, 3.7     important     KB85254    None      None

Access        20.01          Linux    CVE-2021-22002, CVE-2021-22003
8.6, 3.7      important     KB85254   None      None

vIDM          3.3.5          Linux     CVE-2021-22002, CVE-2021-22003
8.6, 3.7      important      KB85254   None      None

vIDM          3.3.4          Linux      CVE-2021-22002, CVE-2021-22003
8.6, 3.7       important      KB85254   None      None

vIDM          3.3.3          Linux      CVE-2021-22002, CVE-2021-22003
8.6, 3.7       important      KB85254    None     None

vIDM          3.3.2          Linux      CVE-2021-22002, CVE-2021-22003
8.6, 3.7       important      KB85254    None     None

vRealize Automation [2]    8.x   Linux   CVE-2021-22002, CVE-2021-22003
N/A           N/A             Unaffected  N/A     N/A

vRealize Automation (vIDM) [1]    7.6    Linux    CVE-2021-22002
8.6            important      Patch Planned     KB85255    None

vRealize Automation (vIDM)     7.6    Linux     CVE-2021-22003
N/A            N/A             Unaffected       N/A      N/A


Impacted Product Suites that Deploy Response Matrix Components:

Product 	Version 	Running On 	CVE Identifier 	CVSSv3 	Severity 	Fixed
Version 	Workarounds 	Additional Documentation

VMware Cloud Foundation (vIDM)   4.x   Any   CVE-2021-22002,
CVE-2021-22003     8.6, 3.7    important    KB85254    None   None

vRealize Suite Lifecycle Manager (vIDM)    8.x    Any    CVE-2021-22002,
CVE-2021-22003     8.6, 3.7    important    KB85254    None   None


4. References

Fixed Version:
https://kb.vmware.com/s/article/85254


Workarounds:
https://kb.vmware.com/s/article/85255


Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22003


FIRST CVSSv3 Calculator:

CVE-2021-22002 -
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVE-2021-22003 -
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N


5. Change Log

2021-08-05 VMSA-2021-0016
Initial Security Advisory.


2021-08-12 VMSA-2021-0016.1

Added VMware Workspace ONE Access 20.01 to Response Matrix.


6. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce


This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org



E-mail: security@vmware.com
PGP key at:
https://kb.vmware.com/kb/1055


VMware Security Advisories
https://www.vmware.com/security/advisories


VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html


VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html


VMware Security & Compliance Blog
https://blogs.vmware.com/security


Twitter
https://twitter.com/VMwareSRC



Copyright 2021 VMware Inc. All rights reserved.

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================