Security News > 2022 > October > VMware fixes critical Cloud Foundation remote code execution bug

VMware has released security updates today to fix a critical vulnerability in VMware Cloud Foundation, a hybrid cloud platform for running enterprise apps in private or public environments.

The flaw is in the XStream open-source library used by Cloud Foundation and has an almost maximum CVSSv3 base score of 9.8/10 assigned by VMware.

"Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance," the company explains in an advisory release today.

Because of the severity of the issue reported by Sina Kheirkhah and Steven Seeley of Source Incite, VMware has also released security patches for end-of-life products.

To address the issue, VMware has updated XStream to version 1.4.19 to resolve CVE-2021-39144 and block any attempts of exploitation that would target unpatched servers.

Steps detailed in a separate support document require admins to log into each SDDC manager Virtual Machine in their Cloud Foundation environment.

News URL

https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-cloud-foundation-remote-code-execution-bug/