Security News > 2022 > October > VMware fixes critical Cloud Foundation remote code execution bug
VMware has released security updates today to fix a critical vulnerability in VMware Cloud Foundation, a hybrid cloud platform for running enterprise apps in private or public environments.
The flaw is in the XStream open-source library used by Cloud Foundation and has an almost maximum CVSSv3 base score of 9.8/10 assigned by VMware.
"Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance," the company explains in an advisory release today.
Because of the severity of the issue reported by Sina Kheirkhah and Steven Seeley of Source Incite, VMware has also released security patches for end-of-life products.
To address the issue, VMware has updated XStream to version 1.4.19 to resolve CVE-2021-39144 and block any attempts of exploitation that would target unpatched servers.
Steps detailed in a separate support document require admins to log into each SDDC manager Virtual Machine in their Cloud Foundation environment.
News URL
Related news
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation (source)
- Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk (source)
- New Zero-Day Flaw in Apache OFBiz ERP Allows Remote Code Execution (source)
- Critical SAP flaw allows remote attackers to bypass authentication (source)
- Critical Flaws in Traccar GPS System Expose Users to Remote Attacks (source)
- Cisco Fixes Two Critical Flaws in Smart Licensing Utility to Prevent Remote Attacks (source)
- Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-08-23 | CVE-2021-39144 | Deserialization of Untrusted Data vulnerability in multiple products XStream is a simple library to serialize objects to XML and back again. | 8.5 |