Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.1515
VMSA-2022-0027.2 - VMware Cloud Foundation updates address
multiple vulnerabilities
10 March 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VMware Cloud Foundation
Publisher: VMWare
Operating System: Virtualisation
VMware ESX Server
Resolution: Patch/Upgrade
CVE Names: CVE-2022-31678 CVE-2021-39144
Original Bulletin:
https://www.vmware.com/security/advisories/VMSA-2022-0027.html
Comment: CVSS (Max): 9.8 CVE-2021-39144 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: VMware
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Critical
Advisory ID: VMSA-2022-0027.2
CVSSv3 Range: 5.3-9.8
Issue Date: 2022-10-25
Updated On: 2023-03-09
CVE(s): CVE-2021-39144, CVE-2022-31678
Synopsis: VMware Cloud Foundation updates address multiple vulnerabilities.
1. Impacted Products
VMware Cloud Foundation (Cloud Foundation)
2. Introduction
Multiple vulnerabilities were privately reported to VMware. Updates are available to
address this vulnerability in affected VMware products.
3a. VMware Cloud Foundation update addresses a remote code execution vulnerability
via XStream (CVE-2021-39144)
Description
VMware Cloud Foundation contains a remote code execution vulnerability via XStream
open source library. VMware has evaluated the severity of this issue to be in the
Critical severity range with a maximum CVSSv3 base score of 9.8.
Known Attack Vectors
Due to an unauthenticated endpoint that leverages XStream for input serialization
in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution
in the context of 'root' on the appliance.
Resolution
To remediate CVE-2021-39144 apply the patches listed in the 'Fixed Version' column
of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
A supplemental FAQ was created for additional clarification.
Please see: https://kb.vmware.com/s/article/89932
Notes
While VMware does not mention end-of-life products on VMware Security Advisories,
due to the critical severity of NSX-V the product team has made a patch available.
VMware has confirmed that exploit code leveraging CVE-2021-39144 against impacted products
has been published.
VMware has received reports of exploitation activities in the wild involving CVE-2021-39144.
Acknowledgements
VMware would like to thank Sina Kheirkhah and Steven Seeley of Source Incite for
reporting these issues to us.
Response Matrix
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional
VMware 4.x Any CVE-2021-39144 N/A N/A Unaffected N/A Documentation
Cloud N/A
Foundation
VMware 3.11 Any CVE-2021-39144 9.8 critical KB 89809 None FAQ
Cloud
Foundation
NSX-V)
3b. VMware Cloud Foundation update addresses an XML External Entity (XXE) vulnerability
(CVE-2022-31678)
Description
VMware Cloud Foundation contains an XML External Entity (XXE) vulnerability. VMware has
evaluated the severity of this issue to be in the Moderate severity range with a maximum
CVSSv3 base score of 5.3.
Known Attack Vectors
An unauthenticated user may exploit this issue leading to a denial-of-service condition
or unintended information disclosure.
Resolution
To remediate CVE-2022-31678 apply the patches listed in the 'Fixed Version' column of
the 'Response Matrix' below.
Workarounds
None
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Sina Kheirkhah and Steven Seeley of Source Incite for reporting these issues to us.
Response Matrix
Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional
VMware 4.x Any CVE-2022-31678 N/A N/A Unaffected N/A Documentation
Cloud N/A
Foundation
VMware 3.11 Any CVE-2022-31678 5.3 moderate KB 89809 None None
Cloud
Foundation
(NSX-V)
4. References
Fixed Version(s) and Release Notes:
VMware vCloud Foundation 3.11
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/vmware-cloud-foundation-311
- -release-notes/index.html
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31678
FIRST CVSSv3 Calculator:
CVE-2021-39144: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-31678: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5. Change Log
2022-10-25 VMSA-2022-0027
Initial security advisory.
2022-10-27 VMSA-2022-0027.1
Updated advisory with information that VMware has confirmed exploit code leveraging
CVE-2021-39144 against VCF (NSX-V) has been published.
2023-03-09 VMSA-2022-0027.2
Updated advisory with information that VMware has received reports of exploitation
activities in the wild involving CVE-2021-39144.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZArE88kNZI30y1K9AQjJxxAAjj4f4LptxaPM80MfoGJ9uZM4M9uFQUMZ
42U4G5oVtO4+5CY6AL2/JRbgFF0qMOn/dWgtISMSWItNH47EQJUbLo1gVNPrJ2g3
HCueLMRxgz3a/EZe0OgQ+W2ZNB8t7hlDClw3Q85703qYUrTsOhiLtehEhntI4Jtl
tMfW3v8Mi5JTzaObTFag34/0KNiFZOttEtjHeiIw7FMPlaMA/GRwMsJ/Wva4v6px
bpHRSX27swHERoVRnS/NrV/jn1thU0jJTHq/RKhVK9QueTOprqwpPsSIgICxxSko
PcIppTwI6wynHgAKiF/DUBKLtov6h9AORkX1pQGT6t5ZKD5rxPkv8KpggKNTDOrY
c/cA9LmFF7hPqzXM5lRfa4ChY4mLPawMrLwyyLXjRmQICV/EmynyhnqFKVPvFy+2
LTUJ+V7UxauLoxsaPpendlvNeOMX9txkOsSM8qGghORX+K2CXFo5kp/sjeYtJhmC
jbn7iSeYCRsRs4QGsE35AmTyu/7bca4jSM6J7PgtgK++Ra4mtcmNNnjVl3Mw9qFp
O5+B4I4JqdC1Qj3sOAj231XF0YoHm00f4b9sFkjmw3EtudRix5ITZHYOWnvc25lk
a2aprSTsR0b1eD+8lMCQi5he+xDMrTbdyqpW+GERD/rfmArY1ER4kl34fnXoJkvP
GeAWZHOFwaY=
=5fpc
-----END PGP SIGNATURE-----