• Home
  • |
  • Blog
  • |
  • How To Fix Critical Vulnerabilities On VMWare (CVE-2021-22002, CVE-2021-22003)?
How to Fix Critical Vulnerabilities on VMWare | CVE-2021-22002 CVE-2021-22003

A couple of vulnerabilities (CVE-2021-22002, CVE-2021-22003) were reported to VMWare, which affects multiple products of VMWare. VMWare has released workaround and patches in order to address the critical vulnerabilities. Let’s learn how to fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003)?

VMWare Products Impacted:

CVE-2021-22002, CVE-2021-22003 vulnerabilities impact multiple VMWare products. Here is the list of the products.

  • VMware Workspace ONE Access (Access)
  • VMware Identity Manager (vIDM)
  • VMware vRealize Automation (vRA)
  • VMware Cloud Foundation
  • vRealize Suite Lifecycle Manager

With an extension to the above list. These two vulnerabilities affect some releases of VMWare Workspace ONE Access too. Here you see the table.

Product ComponentVersion(s)Guest Operating System
VMware Workspace ONE Access20.10.0.1Linux
VMware Workspace ONE Access20.10Linux
VMware Workspace ONE Access20.01Linux
VMware Identity Manager3.3.5Linux
VMware Identity Manager3.3.4Linux
VMware Identity Manager3.3.3Linux
VMware Identity Manager3.3.2Linux
vRealize Automation (embedded vIDM)7.6Linux

CVE-2021-22002:

This vulnerability lets both VMware Workspace ONE Access and Identity Manager access ‘/cfg web app’ and ‘diagnostic endpoints’ services on port 443, which is supposed to be accessible on port 8443, The services running on 8443 can be accessed on port 443, VMware considered this issue to be of ‘Important‘ severity with a maximum CVSSv3 base score of 8.6.

This flaw can help attackers with network access to port 443 accessing the /cfg web app just by tampering with the host header. The vulnerability also allows attackers to access /cfg diagnostic endpoints without authentication.

CVE-2021-22003:

This vulnerability allows both VMware Workspace ONE Access and Identity Manager to provide a login interface on port 7443, unintentionally. VMware considered this issue to be of ‘Low‘ severity with a maximum CVSSv3 base score of 3.7.

This flaw lets attackers to brute force the login endpoint and user enumeration over port 7443. However, successful brute force is difficult to achieve, in fact, it is impractical to consider when we have lockout policy configuration in place. 

Prechecks before you begin:

  1. Take the snapshot without virtual memory.
  2. Note down current build number from: https://<fqdn_of_appliance>:8443/cfg/login
  3. Download the patch files for your product:
ProductVersion
VMware Workspace ONE Access20.10.0.1
VMware Workspace ONE Access20.10
VMware Workspace ONE Access20.01
VMware Identity Manager3.3.5
VMware Identity Manager3.3.4
VMware Identity Manager3.3.3
VMware Identity Manager3.3.2
vRealize Automation (vIDM)7.6

How To Fix Critical Vulnerabilities On VMWare (CVE-2021-22002, CVE-2021-22003)?

VMWare has released patches to fix the vulnerabilities. VMWare also said it would include the patch in its next release of VMware Workspace ONE Access so that VMWare users may no need to apply the patches explicitly. The procedure written here will remain the same for all the products except vRealize Automation (embedded vIDM) 7.6. There is a different workaround for vRA 7.6, which we will share in the following sections.

Note: vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment. Moreover, VMware Cloud Foundation (VCF) 4.x: VCF product suites can also be impacted. If vIDM is used within the VCF environment, 

Let’s fix the critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).

Note: No need to take the entire Workspace ONE Access/vIDM environment offline as patches can be applied independently on each appliance. The patching procedure may take approximately 10 minutes on each appliance, so you can plan this patching process in a rolling fashion. 

Time needed: 10 minutes.

Patch Installation Procedures for Linux Virtual Appliance:

  1. Login to the appliance with ssh user and switch to the root user.


    $ sudo su

  2. Transfer the patch .zip file to the Linux virtual appliance

    Hint: You can use tools like WinSCP to transfer the file to the virtual appliance.

  3. Unzip the file using below command

    # unzip HW-137959-<appliance version>.zip 

  4. Navigate to the files within the unzipped folder

    # cd HW-137959-<appliance version>

  5. Run the patch script using below command from terminal

    # ./HW-137959-Patch.sh

  6. Make sure appliance version and patch version is same.

    Request to download the correct file. Or else, your terminal will say “Please download the correct version of the patch”.

  7. Evaluate the warning of creating a backup before proceeding

    Type ‘y’ and press <Enter> to continue

  8. Give 5 minutes for the patch to be applied and give 5 more minutes for the appliance services to start.

  9. Validate the horizon-workspace service is started

    Use the command to check the status of the horizon-workspace
    # service horizon-workspace status

    Or

    You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/login
    Take the build number from the README.txt file and verify the build version on the configuration login page.

  10. Check out the Rollback Procedures:

    If you are encountered with a problem and you don’t have the backup to roll back. these steps would help you.
    Login to the appliance and stop the horizon-workspace service.

    # service horizon-workspace stop

  11. Execute the WAR file that was in use prior to applying the patch

    # deployWar /usr/local/horizon/war/svadmin-webapp-0.1.war cfg

  12. Replace the server.xml and cert-proxy-server-0.1.jar files with the backup file created during patch deployment


    # mv /opt/vmware/horizon/workspace/conf/server.xml.bk /opt/vmware/horizon/workspace/conf/server.xml
    # mv /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar.bk /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar

  13. If, Mobile SSO(Android) is configured within the tenant.  Restart the vmware-certproxy service

    # service vmware-certproxy restart

    Give up to 3 minutes for the vmware-certproxy service to start. Validate vmware-certproxy has started
    # service vmware-certproxy status

  14. Remove the Flag File. Please replace the <appliance-version> in the command with the version code of the appliance being rolled back

    # rm -f /usr/local/horizon/conf/flags/HW-137959-<appliance-version>.applied

    Example (20.10): rm -f /usr/local/horizon/conf/flags/HW-137959-20.10.applied
    Example (3.3.5): rm -f /usr/local/horizon/conf/flags/HW-137959-3.3.5.0.applied

  15. Restart the service horizon-workspace. Give up to 5 minutes for the appliance horizon-workspace service to start

    # service horizon-workspace restart

  16. Validate the horizon-workspace service is started

    Use the command to check the status of the horizon-workspace
    # service horizon-workspace status

    Or

    You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/login
    The build number should be the same prior to the deployment of the patch and verify the build version on the configuration login page.

This is how you can fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).

Thanks for reading this tutorial. Please share this information and help to secure the digital world.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.