VMware on Tuesday shipped security updates to address a critical
security flaw in its VMware Cloud Foundation product.
Tracked as CVE-2021-39144, the issue has been rated 9.8 out of
10 on the CVSS vulnerability scoring system, and relates to a
remote code execution vulnerability via XStream open source
library.
“Due to an unauthenticated endpoint that leverages XStream for
input serialization in VMware Cloud Foundation (NSX-V), a malicious
actor can get remote code execution in the context of ‘root’ on the
appliance,” the company said[1]
in an advisory.
In light of the severity of the flaw and its relatively low bar
for exploitation, the Palo Alto-based virtualization services
provider has also made available a patch[2] for end-of-life
products.
Also addressed by VMware as part of the update is CVE-2022-31678
(CVSS score: 5.3), an XML External Entity (XXE[3]) vulnerability that
could be exploited to result in a denial-of-service (DoS) condition
or unauthorized information disclosure.
Security researchers Sina Kheirkhah and Steven Seeley of Source
Incite have been credited with reporting both flaws.
Users of VMware Cloud Foundation are advised to apply the
patches to mitigate potential threats.
Read more https://thehackernews.com/2022/10/vmware-releases-patch-for-critical-rce.html