VMware Security Announcement VMSA-2022-0001 CVSSv3 Score 7.7 Important

New security advisory released today. VMSA-2022-0001, this affects VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045).

Impacted Products
  • VMware ESXi
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion
  • VMware Cloud Foundation
Introduction

A heap-overflow vulnerability in VMware Workstation, Fusion and ESXi was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)

Description

The CD-ROM device emulation in VMware Workstation, Fusion and ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.

Known Attack Vectors

A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

Resolution

For ESXi 7.0 apply patch ESXi70U3c-19193900. Download and release note information will be provided below.

For ESXi 6.7 apply patch ESXi670-202111101-SG. Download and release note information will be provided below.

For ESXi 6.5 apply patch ESXi650-202110101-SG. Download and release note information will be provided below.

For VMware Workstation 16.x, patch to version 16.2. Download and release note information will be provided below.

For VMware Fusion 12.x, patch to version 12.2. Download and release note information will be provided below.

Patches are pending for VMware Cloud Foundation (ESXi) 4.x and 3.x

Workarounds

There are workarounds provided in the following KB articles;

For all versions of ESXi. Workaround Instructions For CVE-2021-22045 on VMware ESXi Hosts (87249)

For VMware Workstation. Removing Unnecessary Hardware from VMware Workstation VM (87206)

For VMware Fusion. Removing Unnecessary Hardware from VMware Fusion VM (87207)

For VMware Cloud Foundation. Workaround Instructions For CVE-2021-22045 on VMware ESXi Hosts (87249)

References

Fixed Version(s) and Release Notes:

VMware ESXi 7.0

Downloads and Documentation:

https://customerconnect.vmware.com/en/downloads/details?downloadGroup=ESXI70U3C&productId=974&rPId=83414

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html

VMware ESXi 6.7

Downloads and Documentation:

https://customerconnect.vmware.com/patch/

https://docs.vmware.com/en/VMware-vSphere/6.7/rn/esxi670-202111001.html#esxi670-202111101-sg-resolved

VMware ESXi 6.5

Downloads and Documentation:

https://customerconnect.vmware.com/patch/

https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202110001.html

VMware Workstation Pro 16.2.0

Downloads and Documentation:

https://customerconnect.vmware.com/en/downloads/details?downloadGroup=WKST-1620-WIN&productId=1038&rPId=75715

https://docs.vmware.com/en/VMware-Workstation-Pro/16.2.0/rn/VMware-Workstation-1620-Pro-Release-Notes.html

VMware Workstation Player 16.2.0

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=WKST-PLAYER-1620&productId=1039&rPId=77292

https://docs.vmware.com/en/VMware-Workstation-Player/16.2.0/rn/VMware-Workstation-1620-Player-Release-Notes.html

VMware Fusion 12.2.0

Downloads and Documentation:

https://customerconnect.vmware.com/downloads/details?downloadGroup=FUS-1220&productId=1040&rPId=75335

https://docs.vmware.com/en/VMware-Fusion/12.2.0/rn/VMware-Fusion-1220-Release-Notes.html

Thanks for Reading!