VMware has released security updates for multiple products to address a critical vulnerability that could be exploited to gain access to confidential information.
Tracked as CVE-2021-22002 (CVSS score: 8.6) and CVE-2021-22003 (CVSS score: 3.7), the flaws affect VMware Workspace One Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.
CVE-2021-22002 concerns an issue with how VMware Workspace One Access and Identity Manager allow the “/cfg” web app and diagnostic endpoints to be accessed via port 443 by tampering with a host header, resulting in a server-side request.
“A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication,” the company said in its advisory. Suleyman Bayir of Trendyol has been credited with reporting the flaw.
Also addressed by VMware is an information disclosure vulnerability impacting VMware Workspace One Access and Identity Manager through an inadvertently exposed login interface on port 7443. An attacker with network access to port 7443 could potentially stage a brute-force attack, which the firm noted: “may or may not be practical based on lockout policy configuration and password complexity for the target account.”
For customers who cannot upgrade to the latest version, VMware is offering a workaround script for CVE-2021-22002 that can be deployed independently without taking the vRA appliances offline. “The workaround disables the ability to resolve the configuration page of vIDM. This endpoint is not used in vRA 7.6 environments and will not cause any impact to functionality,” the company said.