2 important vulnerabilities (XXE & RCE) in VMware Cloud Foundation. Patch immediately

The serious XML External Entity (XXE) and remote code execution (RCE) vulnerabilities in Cloud Foundation have been patched, according to VMware.


The first of the issues is a remote code execution vulnerability affecting Cloud Foundation version 3.11 with a CVSS score of 9.8 and classified as CVE-2021-39144. The open-source XStream library has a vulnerability that can lead to remote code execution. Simple library called XStream allows you to serialize things to XML and back again. In versions that are vulnerable, this flaw might allow a remote attacker with enough privileges to run commands on the host by just modifying the input stream that has already been processed.


The XML External Entity (XXE) vulnerability (CVE-2022-31678), which might allow an unauthenticated attacker to create “a denial-of-service scenario or inadvertent information exposure,” was also patched by VMware in addition to CVE-2021-39144. With a maximum CVSSv3 base score of 5.3, VMware determined this issue’s severity to be in the Moderate severity level.

Steven Seeley and Sina Kheirkhah of Source Incite found the vulnerabilities and reported them.

The business advises any customers who may be impacted to install the available updates.