Fixing the server-side request forgery (SSRF) vulnerability
December 22, 2021 / Unisys Corporation
The situation with VMware Workspace ONE portfolio products
Note: This article will focus solely on VMware's response to the impacted Workspace ONE portfolio products.
On 16 December 2021, a new vulnerability was discovered in the Workspace ONE UEM console, hosted on Microsoft Internet Information Services (IIS) web server.
The vulnerability has been published by The Common Vulnerabilities and Exposures (CVE) project as CVE-2021-22054 and obtained the CVSS risk score of 9.1.
What is this SSRF vulnerability?
A malicious actor with network access to UEM can send their requests to IIS without authentication and may exploit this issue to gain access to sensitive information.
On 16 December 2021, in response to the SSRF vulnerability, VMware published a security advisory document for its impacted products.
Below is a list of impacted Workspace ONE consoles:
Impacted version > Fixed version
- 2109 > Workspace ONE UEM patch 18.104.22.168 and above
- 2105 > Workspace ONE UEM patch 22.214.171.124 and above
- 2102 > Workspace ONE UEM patch 126.96.36.199 and above
- 2101 > Workspace ONE UEM patch 188.8.131.52 and above
- 2011 > Workspace ONE UEM patch 184.108.40.206 and above
- 2010 > Workspace ONE UEM patch 220.127.116.11 and above
- 2008 > Workspace ONE UEM patch 18.104.22.168 and above
- 2007 > Workspace ONE UEM patch 22.214.171.124 and above
Note: This vulnerability does not impact Workspace ONE Access and Unified Access Gateway as these products are NOT based on IIS.
What solution can be applied?
Deploy the patch associated with the supported version of Workspace ONE UEM that your on-premises environment is on. You can find more details here.
This workaround can be applied to short-term mitigations for on-premises environments that are not currently on the patched version:
- Identify all Windows servers with the UEM console application installed in the environment (e.g., Device Services Server, Console Services Server).
- Get administrator-level access to the server using Microsoft Remote Desktop or physical access.
- Patch the UEM config file using a text editor.
More details on how to implement this workaround can be found here.
Impact of workaround changes
- The application icons will not display on console screens when searching for public applications.
- IIS reset will log out any administrators logged into the server being patched.
- There will be no impact on managed devices.
Note: The VMware cloud operations team will implement this fix for all SaaS environments, so these workarounds are only temporary until VMware releases a patch.
Learn more about how Unisys can help you manage and secure all enterprise devices with Modern Device Management.