CVE-2021-22056
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in VMware Workspace ONE Access and Identity Manager products. It allows attackers with network access to make HTTP requests to arbitrary internal or external systems and read the full responses. Organizations running affected versions of these VMware products are vulnerable.
💻 Affected Systems
- VMware Workspace ONE Access
- VMware Identity Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access sensitive internal services, retrieve credentials from metadata services, perform internal port scanning, or pivot to other systems in the network.
Likely Case
Information disclosure from internal services, potential credential harvesting from cloud metadata endpoints, or reconnaissance of internal network services.
If Mitigated
Limited to information disclosure from services accessible to the vulnerable system, with no direct code execution or authentication bypass.
🎯 Exploit Status
SSRF vulnerabilities are commonly exploited and tools exist for automated exploitation. The unauthenticated nature makes this particularly dangerous.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Workspace ONE Access 21.08.0.1 and later; Identity Manager 3.3.6 and later
Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0030.html
Restart Required: Yes
Instructions:
1. Download the appropriate patch from VMware's download portal. 2. Apply the patch following VMware's documentation. 3. Restart the affected services. 4. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to vulnerable systems using firewalls or network segmentation.
Web Application Firewall
allDeploy a WAF with SSRF protection rules to block malicious requests.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems from sensitive internal services
- Deploy a web application firewall with SSRF protection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check the product version in the administration console or via the web interface. Compare against affected versions listed in the advisory.Check Version:
Check via product web interface or administration console. No single command applies to all deployment scenarios.Verify Fix Applied:
Verify the installed version is patched (Workspace ONE Access >= 21.08.0.1, Identity Manager >= 3.3.6) and test SSRF functionality is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the vulnerable system
- Requests to internal IP addresses or metadata services
- Multiple failed HTTP requests to non-standard ports
Network Indicators:
- HTTP traffic from vulnerable system to internal services it shouldn't access
- Requests to cloud metadata endpoints (169.254.169.254, etc.)
SIEM Query:
source_ip=[vulnerable_system_ip] AND (dest_ip=169.254.169.254 OR dest_port NOT IN (80,443) OR dest_ip IN (internal_ranges))