VMware on Tuesday shipped safety updates to deal with a essential safety flaw in its VMware Cloud Basis product.
Tracked as CVE-2021-39144, the difficulty has been rated 9.8 out of 10 on the CVSS vulnerability scoring system, and pertains to a distant code execution vulnerability by way of XStream open supply library.
“On account of an unauthenticated endpoint that leverages XStream for enter serialization in VMware Cloud Basis (NSX-V), a malicious actor can get distant code execution within the context of ‘root’ on the equipment,” the corporate mentioned in an advisory.
In mild of the severity of the flaw and its comparatively low bar for exploitation, the Palo Alto-based virtualization companies supplier has additionally made out there a patch for end-of-life merchandise.
Additionally addressed by VMware as a part of the replace is CVE-2022-31678 (CVSS rating: 5.3), an XML Exterior Entity (XXE) vulnerability that could possibly be exploited to end in a denial-of-service (DoS) situation or unauthorized info disclosure.
Safety researchers Sina Kheirkhah and Steven Seeley of Supply Incite have been credited with reporting each flaws.
Customers of VMware Cloud Basis are suggested to use the patches to mitigate potential threats.