Headline
CVE-2021-22056: VMSA-2021-0030
VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.
Advisory ID: VMSA-2021-0030
CVSSv3 Range: 5.5-6.6
Issue Date: 2021-12-17
Updated On: 2021-12-17 (Initial Advisory)
CVE(s): CVE-2021-22056, CVE-2021-22057
Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057)
Share this page on social media
Sign up for Security Advisories
****1. Impacted Products****
- VMware Workspace ONE Access (Access)
- VMware Identity Manager (vIDM)
- VMware vRealize Automation (vRA)
- VMware Cloud Foundation
- vRealize Suite Lifecycle Manager
****2. Introduction****
Multiple vulnerabilities were privately reported to VMware. Patches are available to address this vulnerability in affected VMware products.
****3a. Server Side Request Forgery vulnerability in VMware Workspace ONE Access (CVE-2021-22056)****
VMware Workspace ONE Access and Identity Manager, contain a Server Side Request Forgery. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 5.5.
A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.
Fixes for CVE-2021-22056 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
[1] The patches listed in the “Fixed Version” column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.
[2] vRealize Automation 8.x is unaffected since it does not use embedded vIDM. If vIDM has been deployed with vRA 8.x, fixes should be applied directly to vIDM.
[3] vRealize Automation 7.6 is affected since it uses embedded vIDM.
VMware would like to thank Shubham Shah of Assetnote and Keiran Sampson for reporting this issue to us.
****3b.Authentication bypass vulnerability in VMware Workspace ONE Access (CVE-2021-22057)****
VMware Workspace ONE Access contains an authentication bypass vulnerability, impacting VMware Verify two factor authentication. VMware has evaluated this issue to be of Moderate severity with a maximum CVSSv3 base score of 6.6.
A malicious actor, who has successfully provided first-factor authentication, may be able to obtain second-factor authentication provided by VMware Verify.
Fixes for CVE-2021-22057 are documented in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
[1] The patches listed in the “Fixed Version” column of the table below address the Apache log4j security issue identified by CVE-2021-44228 (this is documented in VMSA-2021-0028). For Access 21.08.0.1 and vRealize Automation 8.x consult VMSA-2021-0028 for information on mitigation of CVE-2021-44228.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version [1]
Workarounds
Additional Documentation
Access
21.08.0.1
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
Unaffected
N/A
N/A
Access
21.08
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
KB87183
None
None
Access
20.10.0.1
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
KB87183
None
None
Access
20.10
Linux
CVE-2021-22056, CVE-2021-22057
5.5, 6.6
moderate
KB87183
None
None
vIDM
3.3.5
Linux
CVE-2021-22056
6.6
moderate
KB87185
None
None
vIDM
3.3.4
Linux
CVE-2021-22056
6.6
moderate
KB87185
None
None
vIDM
3.3.3
Linux
CVE-2021-22056
6.6
moderate
KB87185
None
None
vRealize Automation [2]
8.x
Linux
CVE-2021-22056
5.5
moderate
Unaffected
N/A
N/A
vRealize Automation (vIDM) [3]
7.6
Linux
CVE-2021-22056
5.5
moderate
KB70911
None
None
Impacted Product Suites that Deploy Response Matrix Components:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware Cloud Foundation (vIDM)
4.x
Any
CVE-2021-22056
5.5
moderate
KB87183
None
None
VMware Cloud Foundation (vRA)
3.x
Any
CVE-2021-22056
5.5
moderate
KB87183
None
None
vRealize Suite Lifecycle Manager (vIDM)
8.x
Any
CVE-2021-22056
5.5
moderate
KB87183
None
None
****4. References****
****5. Change Log****
2021-12-17 VMSA-2021-0030
Initial security advisory.
****6. Contact****