VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform

October 26, 2022

VMware on Tuesday shipped security updates to address a critical security flaw in its VMware Cloud Foundation product.

Tracked as CVE-2021-39144, the issue has been rated 9.8 out of 10 on the CVSS vulnerability scoring system, and relates to a remote code execution vulnerability via XStream open source library.

“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” the company said in an advisory.

In light of the severity of the flaw and its relatively low bar for exploitation, the Palo Alto-based virtualization services provider has also made available a patch for end-of-life products.

Also addressed by VMware as part of the update is CVE-2022-31678 (CVSS score: 5.3), an XML External Entity (XXE) vulnerability that could be exploited to result in a denial-of-service (DoS) condition or unauthorized information disclosure.

Security researchers Sina Kheirkhah and Steven Seeley of Source Incite have been credited with reporting both flaws.

Users of VMware Cloud Foundation are advised to apply the patches to mitigate potential threats.

Tags
October 26, 2022

Related Articles

China’s Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks

May 16, 2023

Alert: Ivanti Releases Patch for Critical Vulnerability in Endpoint Manager Solution

January 5, 2024

PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration

January 26, 2023

Apple Unveils PQ3 Protocol – Post-Quantum Encryption for iMessage

February 22, 2024
© Copyright 2024, All Rights Reserved  |  PlanetJon
Back to top button