CVE-2021-39144: VMware Patches Critical Cloud Foundation Vulnerability in XStream Open Source Library

On October 25, VMware published VMSA-2022-0027, an advisory for multiple vulnerabilities in its VMware Cloud Foundation solution. This included patches for two CVEs; CVE-2021-39144 and CVE-2022-31678.

CVE-2021-39144 is a remote code execution vulnerability in XStream, an open source library used for object serialization. With a critical rating and 9.8 CVSSv3 score, this vulnerability was severe enough that VMware released patches for end-of-life versions of its Network Security Virtualization for vSphere (NSX-V) solution.

CVE-2022-31678 is an XXE vulnerability in VMware Cloud Foundation NSX-V that if exploited could lead to a denial-of-service condition or lead to information disclosure. 

The discovery of both flaws are attributed to researchers Steven Seeley of Source Incite and Sina Kheirkhah of MDSec. A blog post was published on Source Incite that details their findings along with a proof-of-concept script for CVE-2021-39144.

For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.