VMware Releases Critical Security Update for Cloud Foundation

Critical update addresses an RCE vulnerability and a second vulnerability that could lead to a DoS condition

Threat ID:: CC-4201
Threat Severity:: Medium
Published:: 26 October 2022 4:42 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Critical update addresses an RCE vulnerability and a second vulnerability that could lead to a DoS condition

Affected platforms

The following platforms are known to be affected:

Versions: 3.11

VMware Cloud Foundation

While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a patch available.

Threat details

Introduction

VMware have released security updates to address two security vulnerabilities within Cloud Foundation. The critical vulnerability known as CVE-2021-39144 has a CVSSv3.1 score of 9.8 and is a remote code execution (RCE) vulnerability via the XStream open-source library. The second vulnerability, which is known as CVE-2022-31678, has a score of 5.3 and could lead to a denial-of-service (DoS) condition or unintended information disclosure.

A remote, unauthenticated attacker could exploit these vulnerabilities to take control of an affected system.

CISA warns about active exploitation of CVE-2021-39144

CISA has added CVE-2021-39144 catalog of security flaws exploited in the wild. A proof-of-concept (PoC) was released in October for the critical severity remote code execution (RCE) vulnerability found in VMware's Cloud Foundation. Affected organisations are encouraged to review VMware Security Advisory VMSA-2022-0027 and apply any relevant updates.

Threat updates

Date	Update
13 Mar 2023	CISA warns of critical VMware RCE flaw exploited in attacks CISA has added a critical severity vulnerability in VMware's Cloud Foundation to its catalog of security flaws exploited in the wild. This article has been updated to reflect the change in exploitation status.

Remediation advice

Affected organisations are encouraged to review VMware Security Advisory VMSA-2022-0027 and apply any relevant updates.

While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a security update available.

Definitive source of threat updates

https://www.vmware.com/security/advisories/VMSA-2022-0027.html

CVE Vulnerabilities

Status Published

CVE-2021-39144

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Status Reserved

CVE-2022-31678

Last edited: 13 March 2023 1:20 pm