Issued: Monday, 31 October, 2022 |
Last Revision: Monday, 31 October, 2022 |
Vendor: |
|
Severity Level: |
A significant remote code execution vulnerability is present in VMware Cloud Foundation Network Security Virtualization for vSphere (NSX-V) via the XStream open source library. Public exploit code has been made available for this issue, which is currently being used. The vulnerability is identified as CVE-2021-39144.Targeting an unauthenticated endpoint in NSX-V would allow an attacker to take advantage of this vulnerability and get root-level access to remote code execution.
Another discovered vulnerability is an XXE vulnerability in VMware Cloud Foundation NSX-V. This vulnerability is tracked as CVE-2022-31678. A remote, unauthenticated attacker could exploit this vulnerability to cause a denial-ofservice condition or cause an unintended information disclosure.
| CVE/Vulnerability | Description | Severity | Exploitable |
| |
| CVE-2021-39144 | Remote code execution vulnerability | Critical | Yes |
| |
| CVE-2022-31678 | XML External Entity (XXE) vulnerability | High | No |
| |
Table 1: Vulnerability details
|
| |||
| CVE/Vulnerability | Product(s) Detail |
| |
| CVE-2021-391447 CVE-2022-316788 | VMware Cloud Foundation (NSX-V) version 3.11 |
| |
Table 2: Vulnerable versions
We recommend to update to NSX-V 6.4.14 version for mitigation of reported vulnerabilities.