Researchers at Source Incite reported a Remote Code Execution (RCE) vulnerability (CVE-2021-39144) in the XStream open-source library being used in VMware Cloud Foundation. The vulnerability has scored a nearly maximum CVSSv3 score of 9.8 out of 10.
The vulnerability can be exploited remotely using attacks with a low barrier to entry, allowing a large range of adversaries to exploit vulnerable Cloud Foundation instances. The severity of the vulnerability warranted the release of a patch for not only current versions of Cloud Foundation but end-of-life versions as well.
In addition, VMware released a patch for a second vulnerability (CVE-2022-31678) that allows for a possible denial of service attack, or information exposure, using an XML external entity injection (XXE) attack.
Analyst Notes
As always, it is highly recommended to patch any appliances using vulnerable versions of software and to implement a plan for regular updates.
In the event that applying the official patch is not immediately feasible, VMware has also released a temporary workaround: https://kb.vmware.com/s/article/89809
https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-cloud-foundation-remote-code-execution-bug/
