CVE-2021-39144: VMware Fixes RCE Vulnerability in Cloud Foundation

VMware on Tuesday announced the release of patches for critical remote code execution (RCE) and XML External Entity (XXE) vulnerability in Cloud Foundation.

With a CVSS score of 9.8 and tracked as CVE-2021-39144, the first of the bugs is a remote code execution vulnerability affecting Cloud Foundation version 3.11.

The issue exists in XStream open-source library which could result in remote code execution. XStream is a simple library to serialize objects to XML and back again. In affected versions, this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream.

“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” read the company’s advisory.

The vulnerability was reported by Sina Kheirkhah and Steven Seeley of Source Incite, and both patches and workarounds have been released to address it. The technical and PoC for this flaw have been released.

In addition to CVE-2021-39144, VMware also announced patches for an XML External Entity (XXE) vulnerability (CVE-2022-31678), which could allow an unauthenticated attacker to cause “a denial-of-service condition or unintended information disclosure.”

The flaw was discovered and reported by Sina Kheirkhah and Steven Seeley of Source Incite.

The company recommends that all potentially impacted customers apply the available patches.