===================================================================== CERT-Renater Note d'Information No. 2022/VULN401 _____________________________________________________________________ DATE : 26/10/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running VMware Cloud Foundation (NSX-V) 3.11 versions prior to KB 89809. ===================================================================== https://www.vmware.com/security/advisories/VMSA-2022-0027.html _____________________________________________________________________ Critical Advisory ID: VMSA-2022-0027 CVSSv3 Range: 5.3-9.8 Issue Date: 2022-10-25 Updated On: 2022-10-25 (Initial Advisory) CVE(s): CVE-2021-39144, CVE-2022-31678 Synopsis: VMware Cloud Foundation updates address multiple vulnerabilities. 1. Impacted Products VMware Cloud Foundation (Cloud Foundation) 2. Introduction Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. 3a. VMware Cloud Foundation update addresses a remote code execution vulnerability via XStream (CVE-2021-39144) Description VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Known Attack Vectors Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance. Resolution To remediate CVE-2021-39144 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation None. Notes While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a patch available. Acknowledgements VMware would like to thank Sina Kheirkhah and Steven Seeley of Source Incite for reporting these issues to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Cloud Foundation 4.x Any CVE-2021-39144 N/A N/A Unaffected N/A N/A VMware Cloud Foundation (NSX-V) 3.11 Any CVE-2021-39144 9.8 Critical KB 89809 None None. 3b. VMware Cloud Foundation update addresses an XML External Entity (XXE) vulnerability (CVE-2022-31678) Description VMware Cloud Foundation contains an XML External Entity (XXE) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors An unauthenticated user may exploit this issue leading to a denial-of-service condition or unintended information disclosure. Resolution To remediate CVE-2022-31678 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Sina Kheirkhah and Steven Seeley of Source Incite for reporting these issues to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation VMware Cloud Foundation 4.x Any CVE-2022-31678 N/A N/A Unaffected N/A N/A VMware Cloud Foundation (NSX-V) 3.11 Any CVE-2022-31678 5.3 Moderate KB 89809 None None. 4. References Fixed Version(s) and Release Notes: VMware vCloud Foundation 3.11 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/vmware-cloud-foundation-311-release-notes/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31678 FIRST CVSSv3 Calculator: CVE-2021-39144: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-31678: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5. Change Log 2022-10-25 VMSA-2022-0027 Initial security advisory. 6. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce@lists.vmware.com bugtraq@securityfocus.com fulldisclosure@seclists.org E-mail: security@vmware.com PGP key at: https://kb.vmware.com/kb/1055 VMware Security Advisories https://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html VMware Security & Compliance Blog https://blogs.vmware.com/security Twitter https://twitter.com/VMwareSRC Copyright 2022 VMware Inc. All rights reserved. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================