VMware has launched safety updates for a number of merchandise to handle a important vulnerability that could possibly be exploited to realize entry to confidential data.
Tracked as CVE-2021-22002 (CVSS rating: 8.6) and CVE-2021-22003 (CVSS rating: 3.7), the failings have an effect on VMware Workspace One Entry (Entry), VMware Id Supervisor (vIDM), VMware vRealize Automation (vRA), VMware Cloud Basis, and vRealize Suite Lifecycle Supervisor.
CVE-2021-22002 issues a problem with how VMware Workspace One Entry and Id Supervisor enable the “/cfg” internet app and diagnostic endpoints to be accessed through port 443 by tampering with a number header, leading to a server-side request.
“A malicious actor with community entry to port 443 might tamper with host headers to facilitate entry to the /cfg internet app, as well as a malicious actor might entry /cfg diagnostic endpoints with out authentication,” the corporate said in its advisory. Suleyman Bayir of Trendyol has been credited with reporting the flaw.
Additionally addressed by VMware is an data disclosure vulnerability impacting VMware Workspace One Entry and Id Supervisor via an inadvertently uncovered login interface on port 7443. An attacker with community entry to port 7443 might doubtlessly stage a brute-force assault, which the agency famous: “could or might not be sensible based mostly on lockout coverage configuration and password complexity for the goal account.”
For purchasers who can not improve to the newest model, VMware is providing a workaround script for CVE-2021-22002 that may be deployed independently with out taking the vRA home equipment offline. “The workaround disables the power to resolve the configuration web page of vIDM. This endpoint shouldn’t be utilized in vRA 7.6 environments and won’t trigger any impression to performance,” the corporate stated.