VMware customers may have had a busy week because Over 100 Of IT giants’ products are Log4j error.
Now they need to carry out another urgent repair work, because the virty giant has discovered another serious flaw in its product, which it believes needs urgent attention.
Security Consultation VMSA-2021-0029Belongs to CVE-2021-22054, which describes server-side forged requests in VMware’s Workspace ONE Unified Endpoint Management (UEM) product.
This vulnerability has a score of 9.1 (out of 10 points) in the General Vulnerability Scoring System, which means that it is risky for you to ignore it.
VMware’s announcement did not provide much information about the security vulnerabilities, but only stated:
But this is enough to show that this is a terrible flaw, because the UEM system can manage tens of thousands of endpoints. VMware’s UEM can handle devices running Windows, macOS, Chrome OS, iOS, Android, and IoT devices.
The outlook for information from or about these devices is not comforting. This defect does not exist in the Workspace ONE UEM version as early as 2008.
Fortunately, there are two ways to fix it.
One is a patch, VMware has provided here.
The other is editing products web.config The file has only seven lines of instructions.
After completion, IIS restarts and you should be safe. But as VMware pointed out, you need to make these changes on “every Windows server in the environment where the UEM console application is installed.”
Sadly, as we all know, organizations sometimes forget their server fleets, so you need to strictly ensure that this fix is universally applied.
We are deeply sympathetic to those who are about to lose another weekend approaching Christmas due to repairs. ®
