Over Log4j? VMware has another critical flaw for you to patch
Workspace ONE Unified Endpoint Management can leak info via server-side request forgery
Now they need to make another urgent patching effort, because the virty giant has identified another critical flaw in its products that it rates as requiring urgent attention.
Security advisory VMSA-2021-0029, which pertains CVE-2021-22054, describes a server-side forgery request in VMware’s Workspace ONE Unified Endpoint Management (UEM) product.
The flaw is rated 9.1 out of 10 on the Common Vulnerability Scoring System, meaning you ignore it at your peril.
VMware’s advisory doesn’t offer much info on the security hole, stating only:
But that’s enough to show this is a scary flaw as UEM systems can manage tens of thousands of endpoints. VMware’s UEM can handle devices running Windows, macOS, Chrome OS, iOS, Android, and IoT devices.
The prospect of info from, or about, those devices being available is not comforting.
- VMware recalls full vSphere update over driver dramas
- It's 2021 and someone's written a new Windows 3.x mouse driver. Why now?
- VMware's divorce from Dell is complete: Virtualization giant now a separate biz with $64bn valuation
Thankfully there are two ways to fix it.
One is patches, which VMware has made available here.
The other is editing the products
web.config file with a mere seven lines of instructions.
Once that’s done, and IIS rebooted, you should be safe. But as VMware points out, you’ll need to make those changes on “every single Windows server that has the UEM Console application installed in the environment.”
Sadly, organisations have been known to sometimes lose track of their server fleets, so rigor will be needed to ensure this fix is universally applied.
For those of you about to lose another Christmas-adjacent weekend to patching, our sympathies. ®