www.belgium.be Logo of the federal government

WARNING: REMOTE CODE EXECUTION VULNERABILITY IN VMWARE IN CLOUD FOUNDATION PLATFORM

Reference: 
Advisory #2022-34
Version: 
1.1
Affected software: 
VMware Cloud Foundation
Type: 
Remote code execution via XStream
CVE/CVSS: 

CVE-2021-39144
9.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Sources

https://www.vmware.com/security/advisories/VMSA-2022-0027.html

Risks

VMware released a security update on October 25, 2022 for VMware Cloud Foundation (NSX-V), a hybrid cloud platform for running enterprise applications in private or public environments.

The update resolves a critical vulnerability, CVE-2021-39144 that relates to a vulnerability via XStream open source library. The vulnerability can be exploited by unauthenticated threat actors to load and execute arbitrary code from a remote host by manipulating the processed input stream. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

UPDATE 2023-03-09: VMSA-2022-0027.2, VMware has received reports of exploitation activities in the wild involving CVE-2021-39144.

Description

Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance and can execute commands of the host only by manipulating the processed input stream. XStream is a set of open-source class libraries to serialize Java objects to XML and back again.

Common Attack pattern are: Code Injection, Leverage Executable Code in Non-Executable Files, Manipulating User-Controlled Variables, Object Injection Attack.

Affected products:

  • VMware Cloud Foundation (Cloud Foundation)
  • XStream versions until and including version 1.4.17, if using the version out of the box

Recommended Actions

To address the issue, VMware has updated XStream to version 1.4.19 and to apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' available at:

 https://www.vmware.com/security/advisories/VMSA-2022-0027.html

The CCB recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. 

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

References

https://x-stream.github.io/CVE-2021-39144.html