"VMware Fixes Critical RCE in VMware Cloud Foundation"

VMware has released security updates to address a critical vulnerability in VMware Cloud Foundation, identified as CVE-2021-39144 (CVSSv3 9.8). VMware Cloud Foundation is an advanced hybrid cloud platform as it offers a comprehensive set of software-defined services for computing, storage, networking, security, and cloud management to run traditional or containerized enterprise apps in private or public environments. The open-source library XStream contains the Remote Code Execution (RCE) vulnerability. Without requiring user interaction, unauthenticated attackers can exploit the vulnerability in low-complexity attacks. Due to the severity of the vulnerability, the product team has also released patches for end-of-life products. In addition, the virtualization giant addressed the CVE-2022-31678 XML External Entity (XXE) vulnerability (CVSSv3 5.3.). Unauthenticated users may take advantage of this vulnerability to cause a Denial-of-Service (DoS) condition or unintended information disclosure. Both of the flaws were discovered by Source Incite researchers Sina Kheirkhah and Steven Seeley. This article continues to discuss the critical RCE vulnerability and XXE vulnerability addressed by VMware.

Security Affairs reports "VMware Fixes Critical RCE in VMware Cloud Foundation"