VMware Security Announcement VMSA-2022-0001 CVSSv3 Score 7.7 Important
New security advisory released today. VMSA-2022-0001, this affects VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045).
Impacted Products
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion
- VMware Cloud Foundation
Introduction
A heap-overflow vulnerability in VMware Workstation, Fusion and ESXi was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)
Description
The CD-ROM device emulation in VMware Workstation, Fusion and ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.
Known Attack Vectors
A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.
Resolution
For ESXi 7.0 apply patch ESXi70U3c-19193900. Download and release note information will be provided below.
For ESXi 6.7 apply patch ESXi670-202111101-SG. Download and release note information will be provided below.
For ESXi 6.5 apply patch ESXi650-202110101-SG. Download and release note information will be provided below.
For VMware Workstation 16.x, patch to version 16.2. Download and release note information will be provided below.
For VMware Fusion 12.x, patch to version 12.2. Download and release note information will be provided below.
Patches are pending for VMware Cloud Foundation (ESXi) 4.x and 3.x
Workarounds
There are workarounds provided in the following KB articles;
For all versions of ESXi. Workaround Instructions For CVE-2021-22045 on VMware ESXi Hosts (87249)
For VMware Workstation. Removing Unnecessary Hardware from VMware Workstation VM (87206)
For VMware Fusion. Removing Unnecessary Hardware from VMware Fusion VM (87207)
For VMware Cloud Foundation. Workaround Instructions For CVE-2021-22045 on VMware ESXi Hosts (87249)
References
Fixed Version(s) and Release Notes:
VMware ESXi 7.0
Downloads and Documentation:
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-70u3c-release-notes.html
VMware ESXi 6.7
Downloads and Documentation:
https://customerconnect.vmware.com/patch/
VMware ESXi 6.5
Downloads and Documentation:
https://customerconnect.vmware.com/patch/
https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202110001.html
VMware Workstation Pro 16.2.0
Downloads and Documentation:
VMware Workstation Player 16.2.0
Downloads and Documentation:
VMware Fusion 12.2.0
Downloads and Documentation:
https://docs.vmware.com/en/VMware-Fusion/12.2.0/rn/VMware-Fusion-1220-Release-Notes.html
Thanks for Reading!