Language Selection

Your selected language is currently:

English
    4 Min Read

    Fixing the server-side request forgery (SSRF) vulnerability

    December 22, 2021 / Unisys Corporation

    The situation with VMware Workspace ONE portfolio products

    Note: This article will focus solely on VMware's response to the impacted Workspace ONE portfolio products.

    On 16 December 2021, a new vulnerability was discovered in the Workspace ONE UEM console, hosted on Microsoft Internet Information Services (IIS) web server.

    The vulnerability has been published by The Common Vulnerabilities and Exposures (CVE) project as CVE-2021-22054 and obtained the CVSS risk score of 9.1.

    What is this SSRF vulnerability?

    A malicious actor with network access to UEM can send their requests to IIS without authentication and may exploit this issue to gain access to sensitive information.

    VMware response

    On 16 December 2021, in response to the SSRF vulnerability, VMware published a security advisory document for its impacted products.

     

    Below is a list of impacted Workspace ONE consoles:

    Impacted version > Fixed version

    • 2109 > Workspace ONE UEM patch 21.9.0.13 and above
    • 2105 > Workspace ONE UEM patch 21.5.0.37 and above
    • 2102 > Workspace ONE UEM patch 21.2.0.27 and above
    • 2101 > Workspace ONE UEM patch 21.1.0.27 and above
    • 2011 > Workspace ONE UEM patch 20.11.0.40 and above
    • 2010 > Workspace ONE UEM patch 20.10.0.23 and above
    • 2008 > Workspace ONE UEM patch 20.8.0.36 and above
    • 2007 > Workspace ONE UEM patch 20.7.0.17 and above

    Note: This vulnerability does not impact Workspace ONE Access and Unified Access Gateway as these products are NOT based on IIS.

    What solution can be applied?

    Option 1:

    Deploy the patch associated with the supported version of Workspace ONE UEM that your on-premises environment is on. You can find more details here.

    Option 2:

    This workaround can be applied to short-term mitigations for on-premises environments that are not currently on the patched version:

    1. Identify all Windows servers with the UEM console application installed in the environment (e.g., Device Services Server, Console Services Server).
    2. Get administrator-level access to the server using Microsoft Remote Desktop or physical access.
    3. Patch the UEM config file using a text editor.

    More details on how to implement this workaround can be found here.

    Impact of workaround changes

    • The application icons will not display on console screens when searching for public applications.
    • IIS reset will log out any administrators logged into the server being patched.
    • There will be no impact on managed devices.

    Note: The VMware cloud operations team will implement this fix for all SaaS environments, so these workarounds are only temporary until VMware releases a patch.

    Learn more about how Unisys can help you manage and secure all enterprise devices with Modern Device Management.

    How emerging tech can streamline air cargo operations

    Sky’s the limit: How emerging tech can streamline air cargo operations

    Read more
    Personalize your IT service delivery with persona mapping

    Personalize your IT service delivery with persona mapping

    Read more
    Transforming workforce management through talent marketplaces

    Transforming workforce management through talent marketplaces

    Read more