- VMware announced VMware Cloud Foundation contains a remote code execution vulnerability via XStream open-source library.
- The vulnerability, with a CVSSv3 score of 9.8, allows a malicious actor can get remote code execution in the context of ‘root’ on the appliance.
- While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a patch available.
VMware fixes a critical vulnerability affecting the VMware Cloud Foundation service, which allows users to manage VM and container-based workloads. According to the security advisory published by VMware, the vulnerability, tracked as CVE-2021-39144, was found in the XStream open-source library, which is used in Cloud Foundation. The flaw has a CVSSv3 score of 9.8.
Input serialization
According to the advisory, due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance. While VMware Cloud Foundation version 4.x is unaffected by the vulnerability, VMware Cloud Foundation (NSX-V) version 3.11 users are urged to apply the latest patch immediately. VMware also provided a workaround for users who can’t update their systems right now.
The latest updates also address an XML External Entity vulnerability, which is tracked as CVE-2022-31678 and has a CVSSv3 base score of 5.3. According to the advisory, it allows unauthenticated use can exploit this vulnerability to cause a denial-of-service condition or unintended information disclosure. It doesn’t affect VMware Cloud Foundation version 4.x, however, VMware Cloud Foundation (NSX-V) version 3.11 users should apply the latest patch as soon as possible.