Fixing SSRF Server Side Request Forgery Vulneraility CVE-2021-22054
On 16 December 2021, a new vulnerability was discovered in Workspace ONE UEM console which is hosted on Microsoft IIS Webserver.
The vulnerability has been published by The Common Vulnerabilities and Exposures (CVE) project as CVE-2021-22054 and obtain the CVSS risk score of 9.1.
Let’s take stock of the situation about your VMware Workspace ONE portfolio products:
Note: We describe here VMware's response for the Workspace ONE portfolio products only
What is this SSRF vulnerability?
A malicious actor with network access to UEM can send their requests to IIS without authentication and may exploit this issue to gain access to sensitive information.
On 16 December 2021, in response to the SSRF vulnerability, VMware has published a security advisory document for all of its impacted products.
This document is available at the following URL:
Please find below the list of impacted Workspace ONE Consoles:
Impacted Version > Fixed Version
- 2109 > Workspace ONE UEM patch 126.96.36.199 and above
- 2105 > Workspace ONE UEM patch 188.8.131.52 and above
- 2102 > Workspace ONE UEM patch 184.108.40.206 and above
- 2101 > Workspace ONE UEM patch 220.127.116.11 and above
- 2011 > Workspace ONE UEM patch 18.104.22.168 and above
- 2010 > Workspace ONE UEM patch 22.214.171.124 and above
- 2008 > Workspace ONE UEM patch 126.96.36.199 and above
- 2007 > Workspace ONE UEM patch 188.8.131.52 and above
Note : Workspace ONE Access and Unified Access Gateway are not impacted by this vulnerability as these products are NOT based on IIS.
What solution / fix can be applied?
Option 1 :
Deploy the patch associated with the supported version of Workspace ONE UEM that your on-premise environment is on. https://kb.vmware.com/s/article/87167
Option 2 :
A short-termin mitigation for on-premise environments that are not currently on the patched version, this workaround can be applied:
Identify all Windows servers that have the UEM Console application installed in the environment (e.g. Device Services Server, Console Services Server)
Get administrator level access to the server using Remote Desktop or Physical access
Patch the UEM web.config file using a text editor.
More details, to implement this workaround can be found here
Impact of changes with Workaround
- The application icons will not display on Console screens for searching pulic applications.
- IIS reset will cause logged-in administrators to the server being patched to log out.
- There will be no impact to managed devices
Note : VMware Cloud Operations Team will take care to implement this fix for all SaaS environments.
Those workarounds are therefore temporary until a patch is made available by VMware.
If you have any doubt, interrogation or questions concerning this subject feel free to contact us as soons as possible : email@example.com
Stay tuned for more useful tips & tricks !