
VMware has released patches to address a critical vulnerability resides in VMware Cloud Foundation.
VMware Cloud Foundation is the hybrid cloud platform. It provides a complete set of software-defined services for compute, storage, networking, security, and cloud management to run enterprise apps traditional or containerized in private or public environments.
The RCE vulnerability tracked as CVE-2021-39144 with a CVSS of 9.8 resides in the XStream open-source library. Unauthenticated attackers can exploit the vulnerability in low-complexity attacks without user interaction.
The product team has also released patches for end-of-life products due to the severity of the vulnerability.
The virtualization giant also addressed an XML External Entity vulnerability tracked as CVE-2022-31678 with CVSS of 5.8. An unauthenticated user may exploit this issue to cause a denial-of-service condition or unintended information disclosure.
VMware also published separate guidance to upgrade NSX-V 6.4.14 appliances on VMware Cloud Foundation 3.x.
Workarounds
Perform below steps on each VMware NSX-V instance deployed in your VMware Cloud Foundation environment
Apply the NSX-v 6.4.14 patch available at the Product Patch page to all NSX-V instances in the environment.
Perform below steps on each SDDC Manager VM deployed in your Cloud Foundation environment
- Login to SDDC manager Virtual Machine via SSH and sudo to root account
- Verify the NSX-V version on the inventory
- API to update NSX-v hot patch version: 6.4.14-20609341
- Verify the NSX-V Version