Security News > 2022 > October > VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform
VMware on Tuesday shipped security updates to address a critical security flaw in its VMware Cloud Foundation product.
"Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation, a malicious actor can get remote code execution in the context of 'root' on the appliance," the company said in an advisory.
In light of the severity of the flaw and its relatively low bar for exploitation, the Palo Alto-based virtualization services provider has also made available a patch for end-of-life products.
Also addressed by VMware as part of the update is CVE-2022-31678, an XML External Entity vulnerability that could be exploited to result in a denial-of-service condition or unauthorized information disclosure.
Security researchers Sina Kheirkhah and Steven Seeley of Source Incite have been credited with reporting both flaws.
Users of VMware Cloud Foundation are advised to apply the patches to mitigate potential threats.
News URL
https://thehackernews.com/2022/10/vmware-releases-patch-for-critical-rce.html
Related news
- Apache issues patches for critical Struts 2 RCE bug (source)
- BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products (source)
- Patch Alert: Critical Apache Struts Flaw Found, Exploitation Attempts Detected (source)
- Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- SonicWall Urges Immediate Patch for Critical CVE-2025-23006 Flaw Amid Likely Exploitation (source)
- Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-10-28 | CVE-2022-31678 | XXE vulnerability in VMWare Cloud Foundation and NSX Data Center VMware Cloud Foundation (NSX-V) contains an XML External Entity (XXE) vulnerability. | 9.1 |