Article 657RF VMware patches vulnerability with 9.8/10 severity rating in Cloud Foundation

VMware patches vulnerability with 9.8/10 severity rating in Cloud Foundation

by
Dan Goodin
from Ars Technica - All content on (#657RF)
wireless-security-800x534.jpg

Enlarge (credit: Getty Images)

Exploit code was released this week for a just-patched vulnerability in VMware Cloud Foundation and NSX Manager appliances that allows hackers with no authentication to execute malicious code with the highest system privileges.

VMware patched the vulnerability, tracked as CVE-2021-39144, on Tuesday and issued it a severity rating of 9.8 out of a possible 10. The vulnerability, which resides in the XStream open source library that Cloud Foundation and NSX Manager rely on, posed so much risk that VMware took the unusual step of patching versions that were no longer supported. The vulnerability affects Cloud Foundation versions 3.11, and lower. Versions 4.x aren't at risk.

"VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library," the company's advisory, published Tuesday, read. "Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance."

Read 4 remaining paragraphs | Comments

External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments