VMware Issues Patches to Fix Critical Bugs Affecting Multiple Products

silversurfer

Level 85
Thread author
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,723
VMware has released security updates for multiple products to address a critical vulnerability that could be exploited to gain access to confidential information.

Tracked as CVE-2021-22002 (CVSS score: 8.6) and CVE-2021-22003 (CVSS score: 3.7), the flaws affect VMware Workspace One Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.

CVE-2021-22002 concerns an issue with how VMware Workspace One Access and Identity Manager allow the "/cfg" web app and diagnostic endpoints to be accessed via port 443 by tampering with a host header, resulting in a server-side request.

"A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication," the company said in its advisory.