CVE-2021-22045: VMware Workstation, Fusion and ESXi heap-overflow vulnerability

by do son · Published January 6, 2022 · Updated January 7, 2022

VMware has released emergency updates for VMware Workstation, Fusion, and ESXi to fix a heap-overflow security vulnerability. The security vulnerability number is CVE-2021-22045, and the CVSS score is 7.7. An attacker who successfully exploited this vulnerability could execute arbitrary code. The vulnerability was discovered by Jaanus Kääp, a security researcher at Clarified Security, and reported to VMware for a fix.

A malicious actor with access to a virtual machine emulated by a CD-ROM device may be able to execute arbitrary code from a virtual machine in combination with other vulnerabilities, VMware said in a security advisory. The vulnerability affects ESXi versions 6.5/6.7/7.0, VMware Workstation version 16.x, Fusion version 12.x.

No security updates have been released for ESXi at this time, so VMware recommends that enterprises and teams using ESXi temporarily disable the CD-ROM/DVD devices of all running virtual machines to prevent potential attacks.

Log in to the vCenter Server system using the vSphere Web Client, right-click the virtual machine and click Edit, select the CD-ROM/DVD drive and uncheck Connected and Connect at power on, and finally delete all ISO images already connected via CD-ROM/DVD.

VMware Workstation and Fusion already have patches available. Users of these products can check for updates directly on the About page, or download the latest version from the official VMware website and install and upgrade to solve related vulnerabilities.

CVE-2021-22045: VMware Workstation, Fusion and ESXi heap-overflow vulnerability

Search

Brilliantly

Content & Links