On Tuesday, VMware announced the release of security updates aimed at addressing a critical vulnerability within its VMware Cloud Foundation product, a platform utilized for cloud infrastructure management.
The vulnerability, identified as CVE-2021-39144, has been assigned a CVSS score of 9.8, indicating its severity. This flaw is related to a remote code execution vulnerability stemming from the use of the XStream open-source library, which handles object serialization.
According to VMware’s advisory, the issue arises from an unauthenticated endpoint that utilizes XStream for input serialization in VMware Cloud Foundation (specifically NSX-V). This creates an opportunity for attackers to execute arbitrary code with ‘root’ privileges on the appliance, posing a significant risk to those affected.
Given the critical nature of this vulnerability and its relatively low threshold for exploitation, VMware has also provided a patch for end-of-life products. This proactive measure underscores the company’s commitment to security in response to identified risks.
In addition to addressing CVE-2021-39144, VMware has also released updates for CVE-2022-31678, an XML External Entity (XXE) vulnerability with a CVSS score of 5.3. This particular flaw could facilitate a denial-of-service condition or unauthorized disclosure of sensitive information, further exacerbating the security risks associated with the platform.
The vulnerabilities were reported by security researchers Sina Kheirkhah and Steven Seeley from Source Incite, highlighting the importance of continuous oversight and reporting within the cybersecurity community.
Businesses utilizing VMware Cloud Foundation are strongly urged to apply the necessary patches to protect against potential exploits that could severely compromise their systems. The implementation of timely updates is essential in maintaining a robust security posture against evolving threats.