===================================================================== CERT-Renater Note d'Information No. 2023/VULN210 _____________________________________________________________________ DATE : 07/06/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Workspace ONE Access versions prior to 22.09.1.0, VMware Identity Manager (vIDM) versions prior to 3.3.7, VMware Cloud Foundation (vIDM). ===================================================================== https://www.vmware.com/security/advisories/VMSA-2023-0011.html _____________________________________________________________________ 1. Impacted Products VMware Workspace ONE Access (Access) VMware Identity Manager (vIDM) VMware Cloud Foundation (Cloud Foundation) 2. Introduction An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. 3a. Insecure Redirect Vulnerability (CVE-2023-20884) Description VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1. Known Attack Vectors An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure. Resolution To remediate CVE-2023-20884 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Hari Namburi of Wells Fargo for reporting this vulnerability to us. Response Matrix Product Version Running CVE Identifier CVSSv3 Severity Fixed Workarounds Additional On Version Documentation Workspace 22.09.1.0 Linux CVE-2023-20884 6.1 moderate KB92512 None None ONE Access Workspace 22.09.0.0 Linux CVE-2023-20884 6.1 moderate 22.09.1.0 None None ONE Access Workspace 21.08.x Linux CVE-2023-20884 6.1 moderate 22.09.1.0 None None ONE Access Workspace ONE Access All Windows CVE-2023-20884 N/A N/A Unaffected N/A N/A Connector VMware Identity 3.3.7 Linux CVE-2023-20884 6.1 moderate KB92512 None None Manager (vIDM) VMware Identity 3.3.6 Linux CVE-2023-20884 6.1 moderate 3.3.7 None None Manager (vIDM) VMware Identity Manager All Windows CVE-2023-20884 N/A N/A Unaffected N/A N/A (vIDM) Connector VMware Cloud Any Any CVE-2023-20884 6.1 moderate KB92512 None None Foundation (vIDM) 4. References VMware Workspace ONE Access 22.09.1.0 KB92512 VMware Identity Manager (vIDM) KB92512 VMware Cloud Foundation (vIDM) KB92512 Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20884 FIRST CVSSv3 Calculator: CVE-2023-20884: 6.1 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/ AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 5. Change Log 2023-05-30: VMSA-2023-0011 Initial security advisory. 6. Contact E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2023 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================