VMware Releases Security Update for ESXi, vCenter Server, and Cloud Foundation

VMware have released security updates to address four security vulnerabilities within vCenter and VMWare EXSi. 

VMware ESXi contains two vulnerabilities labelled Important. CVE-2022-31696 is a memory corruption vulnerability a CVSSv3 base score of 7.5. The vulnerability exists in the way ESXi handles a network socket. A malicious actor with local access to ESXi may exploit this issue to corrupt memory leading to an escape of the ESXi sandbox. CVE-2022-31699 is a heap-overflow vulnerability with a CVSSv3 base score of 4.2.  A malicious local actor with restricted privileges within a sandbox process may exploit this issue to achieve a partial information disclosure.

The vCenter Server contains two vulnerabilities. CVE-2022-31697 is an information disclosure vulnerability due to the logging of credentials in plaintext with a CVSSv3 base score of 6.2. CVE-2022-31698 is a denial-of-service vulnerability in the content library service with a CVSSv3 base score of 5.8. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to trigger a denial-of-service condition by sending a specially crafted header.