Security News > 2022 > October > VMware fixes critical Cloud Foundation remote code execution bug
VMware has released security updates today to fix a critical vulnerability in VMware Cloud Foundation, a hybrid cloud platform for running enterprise apps in private or public environments.
The flaw is in the XStream open-source library used by Cloud Foundation and has an almost maximum CVSSv3 base score of 9.8/10 assigned by VMware.
"Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance," the company explains in an advisory release today.
Because of the severity of the issue reported by Sina Kheirkhah and Steven Seeley of Source Incite, VMware has also released security patches for end-of-life products.
To address the issue, VMware has updated XStream to version 1.4.19 to resolve CVE-2021-39144 and block any attempts of exploitation that would target unpatched servers.
Steps detailed in a separate support document require admins to log into each SDDC manager Virtual Machine in their Cloud Foundation environment.
News URL
Related news
- Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code (source)
- ActiveX blocked by default in Microsoft 365 because remote code execution is bad, OK? (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code Execution in Limited Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-23 | CVE-2021-39144 | Deserialization of Untrusted Data vulnerability in multiple products XStream is a simple library to serialize objects to XML and back again. | 8.5 |