VMware Security Response Center

Workspace ONE UEM SSRF CVE-2021-22054 Patch Alert

If you have not deployed the Workspace ONE Console patches or workarounds of December 2021 documented in VMSA-2021-0029, now is the time to do so. These workarounds and patches prevent exploitation of CVE-2021-22054. Details of this issue have now become available, which makes exploitation in the wild more likely.

We have closely worked with the reporters of CVE-2021-22054, Shubham Shah and James Hebden, of Assetnote, and Keiran Sampson, and we would like to thank them for their collaboration.

In their research, the reporters found that a static master key is used in the UEM database. This is not best practice and VMware has published patches to address this. Instructions on rotating the static master key can be found in KB88323. We are confirming that we have not found security issues like CVE-2021-22054 that use the static master key.