Fixing the Server Side Request Forgery (SSRF) Vulnerability

Dec 22, 2021 2 min read
Fixing the Server Side Request Forgery (SSRF) Vulnerability

Fixing SSRF Server Side Request Forgery Vulneraility CVE-2021-22054


On 16 December 2021, a new vulnerability was discovered in Workspace ONE UEM console which is hosted on Microsoft IIS Webserver.

The vulnerability has been published by The Common Vulnerabilities and Exposures (CVE) project as CVE-2021-22054 and obtain the CVSS risk score of 9.1.

Let’s take stock of the situation about your VMware Workspace ONE portfolio products:

Note: We describe here VMware's response for the Workspace ONE portfolio products only

What is this SSRF vulnerability?

A malicious actor with network access to UEM can send their requests to IIS without authentication and may exploit this issue to gain access to sensitive information.

VMware Response

On 16 December 2021, in response to the SSRF vulnerability, VMware has published a security advisory document for all of its impacted products.
This document is available at the following URL:

Please find below the list of impacted Workspace ONE Consoles:

Impacted Version > Fixed Version

  • 2109 > Workspace ONE UEM patch and above
  • 2105 > Workspace ONE UEM patch and above
  • 2102 > Workspace ONE UEM patch and above
  • 2101 > Workspace ONE UEM patch and above
  • 2011 > Workspace ONE UEM patch and above
  • 2010 > Workspace ONE UEM patch and above
  • 2008 > Workspace ONE UEM patch and above
  • 2007 > Workspace ONE UEM patch and above

Note : Workspace ONE Access and Unified Access Gateway are not impacted by this vulnerability as these products are NOT based on IIS.

What solution / fix can be applied?

Option 1 :
Deploy the patch associated with the supported version of Workspace ONE UEM that your on-premise environment is on.

Option 2 :
A short-termin mitigation for on-premise environments that are not currently on the patched version, this workaround can be applied:

  1. Identify all Windows servers that have the UEM Console application installed in the environment (e.g. Device Services Server, Console Services Server)

  2. Get administrator level access to the server using Remote Desktop or Physical access

  3. Patch the UEM web.config file using a text editor.
    More details, to implement this workaround can be found here

Impact of changes with Workaround

  • The application icons will not display on Console screens for searching pulic applications.
  • IIS reset will cause logged-in administrators to the server being patched to log out.
  • There will be no impact to managed devices

Note : VMware Cloud Operations Team will take care to implement this fix for all SaaS environments.

Those workarounds are therefore temporary until a patch is made available by VMware.

If you have any doubt, interrogation or questions concerning this subject feel free to contact us as soons as possible :

Stay tuned for more useful tips & tricks !

Great! Next, complete checkout for full access to Mobinergy Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Mobinergy Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.