Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.1515 VMSA-2022-0027.2 - VMware Cloud Foundation updates address multiple vulnerabilities 10 March 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Cloud Foundation Publisher: VMWare Operating System: Virtualisation VMware ESX Server Resolution: Patch/Upgrade CVE Names: CVE-2022-31678 CVE-2021-39144 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2022-0027.html Comment: CVSS (Max): 9.8 CVE-2021-39144 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: VMware Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Critical Advisory ID: VMSA-2022-0027.2 CVSSv3 Range: 5.3-9.8 Issue Date: 2022-10-25 Updated On: 2023-03-09 CVE(s): CVE-2021-39144, CVE-2022-31678 Synopsis: VMware Cloud Foundation updates address multiple vulnerabilities. 1. Impacted Products VMware Cloud Foundation (Cloud Foundation) 2. Introduction Multiple vulnerabilities were privately reported to VMware. Updates are available to address this vulnerability in affected VMware products. 3a. VMware Cloud Foundation update addresses a remote code execution vulnerability via XStream (CVE-2021-39144) Description VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Known Attack Vectors Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance. Resolution To remediate CVE-2021-39144 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None. Additional Documentation A supplemental FAQ was created for additional clarification. Please see: https://kb.vmware.com/s/article/89932 Notes While VMware does not mention end-of-life products on VMware Security Advisories, due to the critical severity of NSX-V the product team has made a patch available. VMware has confirmed that exploit code leveraging CVE-2021-39144 against impacted products has been published. VMware has received reports of exploitation activities in the wild involving CVE-2021-39144. Acknowledgements VMware would like to thank Sina Kheirkhah and Steven Seeley of Source Incite for reporting these issues to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional VMware 4.x Any CVE-2021-39144 N/A N/A Unaffected N/A Documentation Cloud N/A Foundation VMware 3.11 Any CVE-2021-39144 9.8 critical KB 89809 None FAQ Cloud Foundation NSX-V) 3b. VMware Cloud Foundation update addresses an XML External Entity (XXE) vulnerability (CVE-2022-31678) Description VMware Cloud Foundation contains an XML External Entity (XXE) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors An unauthenticated user may exploit this issue leading to a denial-of-service condition or unintended information disclosure. Resolution To remediate CVE-2022-31678 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below. Workarounds None Additional Documentation None. Notes None. Acknowledgements VMware would like to thank Sina Kheirkhah and Steven Seeley of Source Incite for reporting these issues to us. Response Matrix Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional VMware 4.x Any CVE-2022-31678 N/A N/A Unaffected N/A Documentation Cloud N/A Foundation VMware 3.11 Any CVE-2022-31678 5.3 moderate KB 89809 None None Cloud Foundation (NSX-V) 4. References Fixed Version(s) and Release Notes: VMware vCloud Foundation 3.11 Downloads and Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/3.11/rn/vmware-cloud-foundation-311 - -release-notes/index.html Mitre CVE Dictionary Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39144 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31678 FIRST CVSSv3 Calculator: CVE-2021-39144: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-31678: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5. Change Log 2022-10-25 VMSA-2022-0027 Initial security advisory. 2022-10-27 VMSA-2022-0027.1 Updated advisory with information that VMware has confirmed exploit code leveraging CVE-2021-39144 against VCF (NSX-V) has been published. 2023-03-09 VMSA-2022-0027.2 Updated advisory with information that VMware has received reports of exploitation activities in the wild involving CVE-2021-39144. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZArE88kNZI30y1K9AQjJxxAAjj4f4LptxaPM80MfoGJ9uZM4M9uFQUMZ 42U4G5oVtO4+5CY6AL2/JRbgFF0qMOn/dWgtISMSWItNH47EQJUbLo1gVNPrJ2g3 HCueLMRxgz3a/EZe0OgQ+W2ZNB8t7hlDClw3Q85703qYUrTsOhiLtehEhntI4Jtl tMfW3v8Mi5JTzaObTFag34/0KNiFZOttEtjHeiIw7FMPlaMA/GRwMsJ/Wva4v6px bpHRSX27swHERoVRnS/NrV/jn1thU0jJTHq/RKhVK9QueTOprqwpPsSIgICxxSko PcIppTwI6wynHgAKiF/DUBKLtov6h9AORkX1pQGT6t5ZKD5rxPkv8KpggKNTDOrY c/cA9LmFF7hPqzXM5lRfa4ChY4mLPawMrLwyyLXjRmQICV/EmynyhnqFKVPvFy+2 LTUJ+V7UxauLoxsaPpendlvNeOMX9txkOsSM8qGghORX+K2CXFo5kp/sjeYtJhmC jbn7iSeYCRsRs4QGsE35AmTyu/7bca4jSM6J7PgtgK++Ra4mtcmNNnjVl3Mw9qFp O5+B4I4JqdC1Qj3sOAj231XF0YoHm00f4b9sFkjmw3EtudRix5ITZHYOWnvc25lk a2aprSTsR0b1eD+8lMCQi5he+xDMrTbdyqpW+GERD/rfmArY1ER4kl34fnXoJkvP GeAWZHOFwaY= =5fpc -----END PGP SIGNATURE-----