VMware this week announced patches for a critical remote code execution vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V). Tracked as CVE-2021-39144 (CVSS score of 9.8), the security defect exists in XStream, an open source library to serialize objects to XML and back.
The bug impacts all XStream iterations until and including version 1.4.17. Only out-of-the-box versions are affected, but not those where XStream`s security framework was set up with a whitelist limited to the minimal required types.
“Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of ‘root’ on the appliance,” VMware noted in its advisory.