CVE-2021-39144: VMware Cloud Foundation Unauthenticated Remote Code Execution

On October 25, 2022, VMware published VMSA-2022-0027 on two vulnerabilities in its Cloud Foundation (NSX-V) solution. By far the more severe of these is CVE-2021-39144, an unauthenticated remote code execution vulnerability with a CVSSv3 score of 9.8. The vulnerability arises from a deserialization flaw in an open-source library called XStream, which is used to serialize objects to XML and back again. According to VMware’s advisory, an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V) provides a vector for attackers to obtain remote code execution in the context of ‘root’ on the appliance.

Vulnerability details and a proof of concept for CVE-2021-39144 are publicly available from prominent security researchers. While we are not aware of exploitation as of October 27, the severity of the vulnerability combined with the popularity of VMware solutions makes it a highly attractive target for attackers. Notably, VMware has gone so far as to release a patch for end-of-life (EOL) products—a testament to the criticality of the issue.

Affected products

• VMware Cloud Foundation (NSX-V) 3.11

End-of-life patch information is here.

Remediation

VMware Cloud Foundation customers should update to a fixed version immediately, without waiting for a typical patch cycle to occur. For additional information, see VMSA-2022-0027.

Rapid7 customers

InsightVM and Nexpose customers will be able to assess their exposure to CVE-2021-39144 with an authenticated vulnerability check expected to be available in the October 27 content release.