Jump to content
  • VMware Issues Patches to Fix Critical Bugs Affecting Multiple Products

    aum

    • 472 views
    • 2 minutes
     Share


    • 472 views
    • 2 minutes

    VMware has released security updates for multiple products to address a critical vulnerability that could be exploited to gain access to confidential information.

     

    Tracked as CVE-2021-22002 (CVSS score: 8.6) and CVE-2021-22003 (CVSS score: 3.7), the flaws affect VMware Workspace One Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

     

    CVE-2021-22002 concerns an issue with how VMware Workspace One Access and Identity Manager allow the "/cfg" web app and diagnostic endpoints to be accessed via port 443 by tampering with a host header, resulting in a server-side request.

     

    "A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication," the company said in its advisory. Suleyman Bayir of Trendyol has been credited with reporting the flaw.

     

    vmware.jpg

     

    Also addressed by VMware is an information disclosure vulnerability impacting VMware Workspace One Access and Identity Manager through an inadvertently exposed login interface on port 7443. An attacker with network access to port 7443 could potentially stage a brute-force attack, which the firm noted: "may or may not be practical based on lockout policy configuration and password complexity for the target account."

     

    For customers who cannot upgrade to the latest version, VMware is offering a workaround script for CVE-2021-22002 that can be deployed independently without taking the vRA appliances offline. "The workaround disables the ability to resolve the configuration page of vIDM. This endpoint is not used in vRA 7.6 environments and will not cause any impact to functionality," the company said.

     

    Source

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...