On October 25, 2022, VMware published VMSA-2022-0027 on two vulnerabilities in its Cloud Foundation (NSX-V) solution. By far the more severe of these is CVE-2021-39144, an unauthenticated remote code execution vulnerability with a CVSSv3 score of 9.8. The vulnerability arises from a deserialization flaw in an open-source library called XStream, which is used to serialize objects to XML and back again. According to VMwareβs advisory, an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V) provides a vector for attackers to obtain remote code execution in the context of βrootβ on the appliance.
Vulnerability details and a proof of concept for CVE-2021-39144 are publicly available from prominent security researchers. While we are not aware of exploitation as of October 27, the severity of the vulnerability combined with the popularity of VMware solutions makes it a highly attractive target for attackers. Notably, VMware has gone so far as to release a patch for end-of-life (EOL) productsβa testament to the criticality of the issue.
End-of-life patch information is here.
VMware Cloud Foundation customers should update to a fixed version immediately, without waiting for a typical patch cycle to occur. For additional information, see VMSA-2022-0027.
InsightVM and Nexpose customers will be able to assess their exposure to CVE-2021-39144 with an authenticated vulnerability check expected to be available in the October 27 content release.