Researchers at Source Incite reported a Remote Code Execution (RCE) vulnerability (CVE-2021-39144) in the XStream open-source library being used in VMware Cloud Foundation. The vulnerability has scored a nearly maximum CVSSv3 score of 9.8 out of 10.
The vulnerability can be exploited remotely using attacks with a low barrier to entry, allowing a large range of adversaries to exploit vulnerable Cloud Foundation instances. The severity of the vulnerability warranted the release of a patch for not only current versions of Cloud Foundation but end-of-life versions as well.
In addition, VMware released a patch for a second vulnerability (CVE-2022-31678) that allows for a possible denial of service attack, or information exposure, using an XML external entity injection (XXE) attack.