VMware has released security updates today to fix a critical vulnerability in VMware Cloud Foundation, a hybrid cloud platform for running enterprise apps in private or public environments.
The flaw (CVE-2021-39144) is in the XStream open-source library used by Cloud Foundation and has an almost maximum CVSSv3 base score of 9.8/10 assigned by VMware.
It can be exploited remotely by unauthenticated threat actors in low-complexity attacks that don’t require user interaction.
“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” the company explains in an advisory release today.
Because of the severity of the issue reported by Sina Kheirkhah and Steven Seeley of Source Incite, VMware has also released security patches for end-of-life products.
To address the issue, VMware has updated XStream to version 1.4.19 to resolve CVE-2021-39144 and block any attempts of exploitation that would target unpatched servers.
The company has also issued patches for a second flaw (CVE-2022-31678) that could trigger denials of service or expose information following successful XML external entity injection (XXE) attacks.
Workaround also available
VMware also provides a temporary solution for those who cannot immediately patch their appliances.
Steps detailed in a separate support document require admins to log into each SDDC manager Virtual Machine in their Cloud Foundation environment.
Once in, they have to apply an NSX for vSphere (NSX-V) hot patch that will upgrade the XStream library to version 1.4.19, which removes the attack vector.
However, unlike applying the CVE-2021-39144 security updates released today, the workaround will require admins to go through these steps each time “a new VI workload domain is created.”
Earlier this month, VMware informed customers who updated to vCenter Server 8.0 (the latest version) that they’ll have to wait some more for a patch to address a high-severity privilege escalation vulnerability disclosed almost a year ago, in November 2021.
