Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-22057: VMSA-2021-0030

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 contain an authentication bypass vulnerability. A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.

CVE
#vulnerability#linux#apache#ssrf#vmware#log4j#auth

Advisory ID: VMSA-2021-0030

CVSSv3 Range: 5.5-6.6

Issue Date: 2021-12-17

Updated On: 2021-12-17 (Initial Advisory)

CVE(s): CVE-2021-22056, CVE-2021-22057

Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057)

****1. Impacted Products****

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

****2. Introduction****

Multiple vulnerabilities were privately reported to VMware. Patches are available to address this vulnerability in affected VMware products.

****3a. Server Side Request Forgery vulnerability in VMware Workspace ONE Access (CVE-2021-22056)****

VMware Workspace ONE Access and Identity Manager, contain a Server Side Request Forgery. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 5.5.

A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.

Fixes for CVE-2021-22056 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

[1] The patches listed in the “Fixed Version” column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.
[2] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[3] vRealize Automation 7.6 is affected since it uses embedded vIDM.

VMware would like to thank Shubham Shah of Assetnote and Keiran Sampson for reporting this issue to us.

****3b.Authentication bypass vulnerability in VMware Workspace ONE Access (CVE-2021-22057)****

VMware Workspace ONE Access contains an authentication bypass vulnerability, impacting VMware Verify two factor authentication. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 6.6.

A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.

Fixes for CVE-2021-22057 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

[1] The patches listed in the “Fixed Version” column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version [1]

Workarounds

Additional Documentation

Access

21.08.0.1

Linux

CVE-2021-22056, CVE-2021-22057

5.5, 6.6

moderate

Unaffected

N/A

N/A

Access

21.08

Linux

CVE-2021-22056, CVE-2021-22057

5.5, 6.6

moderate

KB87183

None

None

Access

20.10.0.1

Linux

CVE-2021-22056, CVE-2021-22057

5.5, 6.6

moderate

KB87183

None

None

Access

20.10

Linux

CVE-2021-22056, CVE-2021-22057

5.5, 6.6

moderate

KB87183

None

None

vIDM

3.3.5

Linux

CVE-2021-22056

5.5

moderate

KB87185

None

None

vIDM

3.3.4

Linux

CVE-2021-22056

5.5

moderate

KB87185

None

None

vIDM

3.3.3

Linux

CVE-2021-22056

5.5

moderate

KB87185

None

None

vRealize Automation [2]

8.x

Linux

CVE-2021-22056

5.5

moderate

Unaffected

N/A

N/A

vRealize Automation (vIDM) [3]

7.6

Linux

CVE-2021-22056

5.5

moderate

KB70911

None

None

Impacted Product Suites that Deploy Response Matrix Components:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Cloud Foundation (vIDM)

4.x

Any

CVE-2021-22056

5.5

moderate

KB87183

None

None

VMware Cloud Foundation (vRA)

3.x

Any

CVE-2021-22056

5.5

moderate

KB87183

None

None

vRealize Suite Lifecycle Manager (vIDM)

8.x

Any

CVE-2021-22056

5.5

moderate

KB87183

None

None

****4. References****

****5. Change Log****

2021-12-17 VMSA-2021-0030
Initial security advisory.

****6. Contact****

Related news

Understanding the Red Hat security impact scale

Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.Is this a CVE?First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to comp

2022's most routinely exploited vulnerabilities—history repeats

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2022-47501: The Apache OFBiz® Project - Security

Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a  pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

Healthcare in the Crosshairs of North Korean Cyber Operations

CISA, FBI, and South Korean intelligence agencies warn that the North Korean government is sponsoring ransomware attacks to fund its cyber-espionage activities.

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Intel Data Center Manager 5.1 Local Privilege Escalation

The latest version (5.1) and all prior versions of Intel's Data Center Manager are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained remote code execution using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak sudo configuration for the "dcm" user.

One Year After Log4Shell, Most Firms Are Still Exposed to Attack

Though there have been fewer than expected publicly reported attacks involving the vulnerability, nearly three-quarters of organizations remain exposed to it.

Quarterly Report: Incident Response Trends in Q3 2022

Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter.   It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...

CVE-2022-34102: Crestron Electronics, Inc.

Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

Vulnerability Exploits, Not Phishing, Are the Top Cyberattack Vector for Initial Compromise

A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.

CVE-2022-32552: Security Advisory for security-bundle-2022-04-04

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.

CVE-2021-44548: Solr™ Security News

An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.

CVE-2021-44228: Log4j – Apache Log4j Security Vulnerabilities

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

CVE-2020-35198: Wind River

An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2016-6816: Apache Tomcat® - Apache Tomcat 9 vulnerabilities

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907