VMware Releases Security Update for ESXi, Workstation, Fusion, and Cloud Foundation

Security update addresses a heap-overflow vulnerability in VMware products

Threat ID:: CC-4004
Threat Severity:: Information only
Published:: 6 January 2022 1:48 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security update addresses a heap-overflow vulnerability in VMware products

Affected platforms

The following platforms are known to be affected:

Versions: 7.0, 6.7, 6.5

VMware ESXi

Versions: 16.x

VMware Workstation Pro & Player

Versions: Fusion 12.x

VMware Fusion & Fusion Pro

Versions: (ESXi) 4.x, (ESXi) 3.x

VMware Cloud Foundation

Threat details

Introduction

VMware has released an important advisory that includes updates and workarounds to remediate against a heap-overflow vulnerability in VMware products. An attacker with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine and take control of an affected system.

Remediation advice

Affected organisations are encouraged to review VMware Security Advisory VMSA-2022-0001 and apply any relevant updates or workarounds.

Definitive source of threat updates

https://www.vmware.com/security/advisories/VMSA-2022-0001.html

CVE Vulnerabilities

Status Published

CVE-2021-22045

VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi650-202110101-SG), VMware Workstation (16.2.0) and VMware Fusion (12.2.0) contains a heap-overflow vulnerability in CD-ROM device emulation. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

Last edited: 6 January 2022 1:48 pm