Over Log4j? VMware has another critical flaw for you to patch

Workspace ONE Unified Endpoint Management can leak info via server-side request forgery


VMware customers have probably had a busy week because more than 100 of the IT giant's products are impacted by the Log4j bug.

Now they need to make another urgent patching effort, because the virty giant has identified another critical flaw in its products that it rates as requiring urgent attention.

Security advisory VMSA-2021-0029, which pertains CVE-2021-22054, describes a server-side forgery request in VMware’s Workspace ONE Unified Endpoint Management (UEM) product.

The flaw is rated 9.1 out of 10 on the Common Vulnerability Scoring System, meaning you ignore it at your peril.

VMware’s advisory doesn’t offer much info on the security hole, stating only:

A malicious actor with network access to UEM can send their requests without authentication and may exploit this issue to gain access to sensitive information.

But that’s enough to show this is a scary flaw as UEM systems can manage tens of thousands of endpoints. VMware’s UEM can handle devices running Windows, macOS, Chrome OS, iOS, Android, and IoT devices.

The prospect of info from, or about, those devices being available is not comforting.

Thankfully there are two ways to fix it.

One is patches, which VMware has made available here.

The other is editing the products web.config file with a mere seven lines of instructions.

Once that’s done, and IIS rebooted, you should be safe. But as VMware points out, you’ll need to make those changes on “every single Windows server that has the UEM Console application installed in the environment.”

Sadly, organisations have been known to sometimes lose track of their server fleets, so rigor will be needed to ensure this fix is universally applied.

For those of you about to lose another Christmas-adjacent weekend to patching, our sympathies. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022