Vulnerability Alert - VMware Cloud Foundation
VMWare published a security advisory that address two vulnerabilities (CVE-2021-39144 and CVE-2022-31678). These vulnerabilities affect all the VMware Cloud Foundation 3.x versions environment and VMware NSX-V instance prior to 6.4.14.
RCE vulnerability (CVE-2021-39144) affects VMware Cloud Foundation via XStream open source library. The CVE-2022-31678 addresses an XML External Entity (XXE) vulnerability.
Among other consequences, it allows a malicious actor to get remote code execution.
It is recommended that for VMware Cloud Foundation versions prior to 3.9.1, to upgrade to 3.11.0.1 (or later) and apply the steps in the Workaround section of [2].
For VMware Cloud Foundation versions after 3.9.1, it is recommended to apply the steps in the Workaround section of [2].