CVE-2021-22002

Vulnerability

CVE-2021-22002 is a vulnerability in VMware Workspace ONE Access (Access) and VMware Identity Manager (vIDM) that allows the /cfg web application and diagnostic endpoints typically exposed on port 8443 to be accessed via port 443 using a custom Host header. This affects versions prior to the patches released in VMSA-2021-0016 [1]. The cfg web app is a management interface, and the diagnostic endpoints are intended for internal use.

Exploitation

An attacker with network access to port 443 of an affected appliance can craft an HTTP request with a malicious Host header to make the server route the request to the /cfg web application, bypassing the intended port restriction. Additionally, the /cfg diagnostic endpoints can be accessed without any authentication [1]. The attacker does not need prior authentication or special privileges, only network connectivity to the target service.

Impact

Successful exploitation could allow an attacker to access the /cfg web application and diagnostic interfaces. The /cfg app is used for configuration management, and the diagnostic endpoints may expose sensitive system information. This could lead to information disclosure or further configuration tampering, potentially aiding in subsequent attacks [1]. The vulnerability is rated with a CVSSv3 base score of 7.5 (High) in some contexts, reflecting the potential for significant impact on confidentiality and integrity [1].

Mitigation

VMware has released patches for the affected products as part of VMSA-2021-0016. The fix was initially published on August 3, 2021, and updated in subsequent releases [1]. Administrators should apply the latest patches to Workspace ONE Access and Identity Manager. For environments where immediate patching is not possible, restricting network access to port 443 to trusted hosts may reduce risk, but the recommended mitigation is to upgrade to the fixed versions listed in the advisory [1].