CNCS - Alert Detail

27 Out 2022

Vulnerability Alert - VMware Cloud Foundation

TYPE

Vulnerabilities

SYSTEMS AFFECTED

VMware Cloud Foundation versions 3.x / VMware NSX-V versions prior to 6.4.14

ECOSYSTEM

VMWare

Description

VMWare published a security advisory that address two vulnerabilities (CVE-2021-39144 and CVE-2022-31678). These vulnerabilities affect all the VMware Cloud Foundation 3.x versions environment and VMware NSX-V instance prior to 6.4.14.
RCE vulnerability (CVE-2021-39144) affects VMware Cloud Foundation via XStream open source library. The CVE-2022-31678 addresses an XML External Entity (XXE) vulnerability.

Impact

Among other consequences, it allows a malicious actor to get remote code execution.

Resolution

It is recommended that for VMware Cloud Foundation versions prior to 3.9.1, to upgrade to 3.11.0.1 (or later) and apply the steps in the Workaround section of [2].
For VMware Cloud Foundation versions after 3.9.1, it is recommended to apply the steps in the Workaround section of [2].

References

[1] https://www.vmware.com/security/advisories/VMSA-2022-0027.html

[2] https://kb.vmware.com/s/article/89809

[3] https://customerconnect.vmware.com/en/downloads/details?downloadGroup=NSXV_6414&productId=417&rPId=95448

Citizen

Public Administration

Organizations

IT Professionals

Vulnerability Alert - VMware Cloud Foundation

Vulnerability Alert - VMware Cloud Foundation