VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform
VMware on Tuesday shipped security updates to address a critical security flaw in its VMware Cloud Foundation product.
Tracked as CVE-2021-39144, the issue has been rated 9.8 out of 10 on the CVSS vulnerability scoring system, and relates to a remote code execution vulnerability via XStream open source library.
“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” the company said in an advisory.
In light of the severity of the flaw and its relatively low bar for exploitation, the Palo Alto-based virtualization services provider has also made available a patch for end-of-life products.
Also addressed by VMware as part of the update is CVE-2022-31678 (CVSS score: 5.3), an XML External Entity (XXE) vulnerability that could be exploited to result in a denial-of-service (DoS) condition or unauthorized information disclosure.
Security researchers Sina Kheirkhah and Steven Seeley of Source Incite have been credited with reporting both flaws.
Users of VMware Cloud Foundation are advised to apply the patches to mitigate potential threats.