VMware has introduced security updates for a number of products and solutions to tackle a vital vulnerability that could be exploited to attain entry to private information and facts.
Tracked as CVE-2021-22002 (CVSS score: 8.6) and CVE-2021-22003 (CVSS score: 3.7), the flaws impact VMware Workspace One Accessibility (Obtain), VMware Identification Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Basis, and vRealize Suite Lifecycle Supervisor.
CVE-2021-22002 worries an difficulty with how VMware Workspace A person Entry and Id Supervisor let the “/cfg” web application and diagnostic endpoints to be accessed by means of port 443 by tampering with a host header, resulting in a server-side ask for.
“A destructive actor with network entry to port 443 could tamper with host headers to facilitate obtain to the /cfg web application, in addition a destructive actor could access /cfg diagnostic endpoints without having authentication,” the company stated in its advisory. Suleyman Bayir of Trendyol has been credited with reporting the flaw.
Also resolved by VMware is an information disclosure vulnerability impacting VMware Workspace A person Obtain and Identification Supervisor by way of an inadvertently uncovered login interface on port 7443. An attacker with community accessibility to port 7443 could probably stage a brute-drive assault, which the business observed: “may perhaps or may not be functional centered on lockout policy configuration and password complexity for the target account.”
For consumers who cannot upgrade to the most recent variation, VMware is supplying a workaround script for CVE-2021-22002 that can be deployed independently without the need of having the vRA appliances offline. “The workaround disables the potential to solve the configuration web site of vIDM. This endpoint is not employed in vRA 7.6 environments and will not lead to any affect to functionality,” the company said.