VMware on Tuesday shipped safety updates to deal with a crucial safety flaw in its VMware Cloud Foundation product.
Tracked as CVE-2021-39144, the difficulty has been rated 9.8 out of 10 on the CVSS vulnerability scoring system, and pertains to a distant code execution vulnerability through XStream open supply library.
“Due to an unauthenticated endpoint that leverages XStream for enter serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get distant code execution within the context of ‘root’ on the equipment,” the corporate mentioned in an advisory.
In mild of the severity of the flaw and its comparatively low bar for exploitation, the Palo Alto-based virtualization providers supplier has additionally made obtainable a patch for end-of-life merchandise.
Also addressed by VMware as a part of the replace is CVE-2022-31678 (CVSS rating: 5.3), an XML External Entity (XXE) vulnerability that may very well be exploited to end in a denial-of-service (DoS) situation or unauthorized data disclosure.
Security researchers Sina Kheirkhah and Steven Seeley of Source Incite have been credited with reporting each the issues.
Users of VMware Cloud Foundation are suggested to use the patches to mitigate potential threats.