VMware has launched safety updates for a number of merchandise to deal with a vital vulnerability that might be exploited to achieve entry to confidential data.
Tracked as CVE-2021-22002 (CVSS rating: 8.6) and CVE-2021-22003 (CVSS rating: 3.7), the issues have an effect on VMware Workspace One Entry (Entry), VMware Identification Supervisor (vIDM), VMware vRealize Automation (vRA), VMware Cloud Basis, and vRealize Suite Lifecycle Supervisor.
CVE-2021-22002 considerations a problem with how VMware Workspace One Entry and Identification Supervisor enable the “/cfg” internet app and diagnostic endpoints to be accessed by way of port 443 by tampering with a number header, leading to a server-side request.
“A malicious actor with community entry to port 443 may tamper with host headers to facilitate entry to the /cfg internet app, as well as a malicious actor may entry /cfg diagnostic endpoints with out authentication,” the corporatein its advisory. Suleyman Bayir of Trendyol has been credited with reporting the flaw.
Additionally addressed by VMware is an data disclosure vulnerability impacting VMware Workspace One Entry and Identification Supervisor via an inadvertently uncovered login interface on port 7443. An attacker with community entry to port 7443 may doubtlessly stage a brute-force assault, which the agency famous: “could or might not be sensible based mostly on lockout coverage configuration and password complexity for the goal account.”
For patrons who can not improve to the newest model, VMware is providing afor CVE-2021-22002 that may be deployed independently with out taking the vRA home equipment offline. “The workaround disables the power to resolve the configuration web page of vIDM. This endpoint is just not utilized in vRA 7.6 environments and won’t trigger any affect to performance,” the corporate stated.