How To Fix Critical Vulnerabilities On VMWare (CVE-2021-22002, CVE-2021-22003)?

A couple of vulnerabilities (CVE-2021-22002, CVE-2021-22003) were reported to VMWare, which affects multiple products of VMWare. VMWare has released workaround and patches in order to address the critical vulnerabilities. Let’s learn how to fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).

VMWare Products Impacted:

CVE-2021-22002 and CVE-2021-22003 vulnerabilities impact multiple VMWare products. Here is the list of the products.

With an extension to the above list. These two vulnerabilities affect some releases of VMWare Workspace ONE Access too. Here you see the table.

CVE-2021-22002:

This vulnerability lets both VMware Workspace ONE Access and Identity Manager access ‘/cfg web app’ and ‘diagnostic endpoints’ services on port 443, which is supposed to be accessible on port 8443, The services running on 8443 can be accessed on port 443, VMware considered this issue to be of ‘Important‘ severity with a maximum CVSSv3 base score of 8.6.

This flaw can help attackers with network access to port 443 accessing the /cfg web app just by tampering with the host header. The vulnerability also allows attackers to access /cfg diagnostic endpoints without authentication.

CVE-2021-22003:

This vulnerability allows both VMware Workspace ONE Access and Identity Manager to provide a login interface on port 7443, unintentionally. VMware considered this issue to be of ‘Low‘ severity with a maximum CVSSv3 base score of 3.7.

This flaw lets attackers brute force the login endpoint and user enumeration over port 7443. However, successful brute force is difficult to achieve, in fact, it is impractical to consider when we have a lockout policy configuration in place. 

Prechecks before you begin:

How To Fix Critical Vulnerabilities On VMWare (CVE-2021-22002, CVE-2021-22003)?

VMWare has released patches to fix the vulnerabilities. VMWare also said it would include the patch in its next release of VMware Workspace ONE Access so that VMWare users may no need to apply the patches explicitly. The procedure written here will remain the same for all the products except vRealize Automation (embedded vIDM) 7.6. There is a different workaround for vRA 7.6, which we will share in the following sections.

Note: vRealize Suite Automation Lifecycle Manager (vRSLCM) 8.x: vRSLCM product suite can be impacted. If vIDM is used within the vRSLCM environment. Moreover, VMware Cloud Foundation (VCF) 4.x: VCF product suites can also be impacted. If vIDM is used within the VCF environment, 

Let’s fix the critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).

Note: No need to take the entire Workspace ONE Access/vIDM environment offline as patches can be applied independently on each appliance. The patching procedure may take approximately 10 minutes on each appliance, so you can plan this patching process in a rolling fashion. 

Patch Installation Procedures for Linux Virtual Appliance:

Step 1. Login to the appliance with ssh user and switch to the root user.

$ sudo su

Step 2. Transfer the patch .zip file to the Linux virtual appliance

Hint: You can use tools like WinSCP to transfer the file to the virtual appliance.

Step 3 Unzip the file using below command

# unzip HW-137959-<appliance version>.zip 

Step 4. Navigate to the files within the unzipped folder

# cd HW-137959-<appliance version>

Step 5. Run the patch script using below command from terminal

# ./HW-137959-Patch.sh

Step 6. Make sure appliance version and patch version is same.

Request to download the correct file. Or else, your terminal will say “Please download the correct version of the patch”.

Step 7. Evaluate the warning of creating a backup before proceeding

Type ‘y’ and press <Enter> to continue

Step 8. Give 5 minutes for the patch to be applied and give 5 more minutes for the appliance services to start.

Step 9. Validate the horizon-workspace service is started

Use the command to check the status of the horizon-workspace# service horizon-workspace status

Or
You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/loginTake the build number from the README.txt file and verify the build version on the configuration login page.

Step 10. Check out the Rollback Procedures:

If you are encountered with a problem and you don’t have the backup to roll back. these steps would help you.Login to the appliance and stop the horizon-workspace service.
# service horizon-workspace stop

Step 11. Execute the WAR file that was in use prior to applying the patch

# deployWar /usr/local/horizon/war/svadmin-webapp-0.1.war cfg

Step 12. Replace the server.xml and cert-proxy-server-0.1.jar files with the backup file created during patch deployment

# mv /opt/vmware/horizon/workspace/conf/server.xml.bk /opt/vmware/horizon/workspace/conf/server.xml
# mv /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar.bk /opt/vmware/certproxy/lib/cert-proxy-server-0.1.jar

Step 13. If, Mobile SSO(Android) is configured within the tenant.  Restart the vmware-certproxy service

# service vmware-certproxy restart

Give up to 3 minutes for the vmware-certproxy service to start. Validate vmware-certproxy has started# service vmware-certproxy status

Step 14. Remove the Flag File. Please replace the <appliance-version> in the command with the version code of the appliance being rolled back

# rm -f /usr/local/horizon/conf/flags/HW-137959-<appliance-version>.applied

Example (20.10): rm -f /usr/local/horizon/conf/flags/HW-137959-20.10.appliedExample (3.3.5): rm -f /usr/local/horizon/conf/flags/HW-137959-3.3.5.0.applied

Step 15. Restart the service horizon-workspace. Give up to 5 minutes for the appliance horizon-workspace service to start

# service horizon-workspace restart

Step 16. Validate the horizon-workspace service is started

Use the command to check the status of the horizon-workspace# service horizon-workspace status

Or
You can also validate successful patching by launching the Configurator login page: https://<fqdn_of_appliance>:8443/cfg/loginThe build number should be the same prior to the deployment of the patch and verify the build version on the configuration login page.

This is how you can fix critical vulnerabilities on VMWare (CVE-2021-22002, CVE-2021-22003).

Thanks for reading this tutorial. Please share this information and help to secure the digital world.