CVE-2021-22029
📋 TL;DR
This vulnerability allows attackers with access to the VMware Workspace ONE UEM REST API to cause denial of service by exploiting improper rate limiting on the /API/system/admins/session endpoint. Organizations using affected versions of VMware Workspace ONE UEM are impacted. The vulnerability requires API access but can disrupt administrative functionality.
💻 Affected Systems
- VMware Workspace ONE UEM
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete API unavailability preventing administrators from managing devices, users, and configurations through the REST API interface.
Likely Case
Intermittent API slowdowns or temporary unavailability affecting administrative operations and potentially cascading to dependent systems.
If Mitigated
Minimal impact with proper network segmentation, API access controls, and monitoring in place to detect and block excessive requests.
🎯 Exploit Status
Exploitation requires API access but is technically simple - involves sending excessive requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.3 and later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0017.html
Restart Required: Yes
Instructions:
1. Download VMware Workspace ONE UEM version 21.3 or later from VMware portal. 2. Backup current configuration and data. 3. Apply the update following VMware's upgrade documentation. 4. Restart the UEM services or server as required.
🔧 Temporary Workarounds
Implement API Rate Limiting
allConfigure web application firewall or reverse proxy to enforce rate limits on /API/system/admins/session endpoint
# Example nginx rate limiting
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
location /API/system/admins/session {
limit_req zone=api_limit burst=20 nodelay;
}
Restrict API Access
linuxLimit access to the vulnerable endpoint using network ACLs or firewall rules
# Example iptables rule to restrict access
# iptables -A INPUT -p tcp --dport 443 -m string --string "/API/system/admins/session" --algo bm -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the UEM API from untrusted networks
- Deploy web application firewall with rate limiting rules specifically for the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check VMware Workspace ONE UEM version in admin console or via API. Versions below 21.3 are vulnerable.Check Version:
curl -k https://<uem-server>/API/system/info | grep versionVerify Fix Applied:
Confirm version is 21.3 or higher and test API endpoint with rate limiting tools to ensure proper controls are in place.📡 Detection & Monitoring
Log Indicators:
- Excessive 200/403 responses from /API/system/admins/session endpoint
- High request rate from single IP to API endpoints
- API performance degradation alerts
Network Indicators:
- Unusual high volume of requests to /API/system/admins/session
- Multiple rapid API calls from single source
SIEM Query:
source="uem-api.log" AND (uri_path="/API/system/admins/session") AND (status=200 OR status=403) | stats count by src_ip | where count > 100