You are currently viewing VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform

VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform

VMware on Tuesday shipped security updates to address a critical security flaw in its VMware Cloud Foundation product.

Tracked as CVE-2021-39144, the issue has been rated 9.8 out of 10 on the CVSS vulnerability scoring system, and relates to a remote code execution vulnerability via XStream open source library.

“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” the company said in an advisory.

In light of the severity of the flaw and its relatively low bar for exploitation, the Palo Alto-based virtualization services provider has also made available a patch for end-of-life products.

Also addressed by VMware as part of the update is CVE-2022-31678 (CVSS score: 5.3), an XML External Entity (XXE) vulnerability that could be exploited to result in a denial-of-service (DoS) condition or unauthorized information disclosure.

Security researchers Sina Kheirkhah and Steven Seeley of Source Incite have been credited with reporting both the flaws.

Users of VMware Cloud Foundation are advised to apply the patches to mitigate potential threats.

Read the full article here

News Room

Cybervizer is a blog and podcast site that focuses on the latest technology and cybersecurity topics that are impacting enterprises, both small and large. Join us to explore the most important trends in enterprise technology and cybersecurity today. Get true insights into the tech and trends that will impact you and your organization.