WARNING: REMOTE CODE EXECUTION VULNERABILITY IN VMWARE IN CLOUD FOUNDATION PLATFORM
CVE-2021-39144
9.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Sources
https://www.vmware.com/security/advisories/VMSA-2022-0027.html
Risks
VMware released a security update on October 25, 2022 for VMware Cloud Foundation (NSX-V), a hybrid cloud platform for running enterprise applications in private or public environments.
The update resolves a critical vulnerability, CVE-2021-39144 that relates to a vulnerability via XStream open source library. The vulnerability can be exploited by unauthenticated threat actors to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
UPDATE 2023-03-09: VMSA-2022-0027.2, VMware has received reports of exploitation activities in the wild involving CVE-2021-39144.
Description
Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance and can execute commands of the host only by manipulating the processed input stream. XStream is a set of open-source class libraries to serialize Java objects to XML and back again.
Common Attack pattern are: Code Injection, Leverage Executable Code in Non-Executable Files, Manipulating User-Controlled Variables, Object Injection Attack.
Affected products:
- VMware Cloud Foundation (Cloud Foundation)
- XStream versions until and including version 1.4.17, if using the version out of the box
Recommended Actions
To address the issue, VMware has updated XStream to version 1.4.19 and to apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' available at:
https://www.vmware.com/security/advisories/VMSA-2022-0027.html
The CCB recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident