VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability (CVE-2020-3940)

2020-01-09T00:00:00
ID VMSA-2020-0001
Type vmware
Reporter VMware
Modified 2020-01-09T00:00:00

Description

1. Impacted Products
  • Workspace ONE SDK
  • Workspace ONE Boxer
  • Workspace ONE Content
  • Workspace ONE SDK Plugin for Apache Cordova
  • Workspace ONE Intelligent Hub
  • Workspace ONE Notebook
  • Workspace ONE People
  • Workspace ONE PIV-D
  • Workspace ONE Web
  • Workspace ONE SDK Plugin for Xamarin
2. Introduction
A sensitive information disclosure vulnerability in the VMware Workspace ONE SDK was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
3. VMware Workspace ONE SDK and dependent mobile application updates address sensitive information disclosure vulnerability (CVE-2020-3940)

Description:

VMware Workspace ONE SDK and dependent mobile applications do not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 6.8.

Known Attack Vectors:

A malicious actor with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services may be able to capture sensitive data in transit if SSL Pinning is enabled.

Resolution:

To remediate CVE-2020-3940, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds:

None.

Additional Documentations:

None.

Acknowledgements:

None.

Response Matrix: