VMware issued security updates that address a critical vulnerability in ESXi and Workstation Fusion and Cloud Foundation. Also, a critical severity command injection flaw affecting vRealize network Insight was addressed.
The vulnerability in the VMware ESXi heap-out-of-bounds writing vulnerability has been identified as CVE-2022-31705. It received a CVSS severity rating 9.3.
The mentions that “a malicious actor may use this issue to execute source code from the virtual machine’s VMX processes running on the host.”
“On ESXi the exploitation is contained in the VMX sandbox whereas on Workstation/Fusion this could lead to code execution from the machine on which Workstation/Fusion is installed.”
These products are affected by the vulnerability:
ESXi 8.0 (fixed at ESXi 8.0a-20842819).
ESXi 7.0 (fixed at 7.0U3i-20842708)
Fusion 12.x (fixed at 12.2.5).
16.2.5 Fixed Workstation 16x
Cloud Foundation 4.x/3.x
The flaw is not impacting VMware Fusion 13.x or Workstation 17.x
The USB 2.0 controller is vulnerable to CVE-2022-31705 (EHCI). To avoid this, it is recommended that you remove the USB controllers from your instances.
VMware released that show you how to use the workaround to a VMware ESXi virtual computer. This also applies to Cloud Foundation.
These steps are for VMware Fusion and VMware Workstation.
- Choose Window > Virtual Machine Library.
- Click Settings to select a virtual machine from the Virtual Machine Library window.
- Click USB & Bluetooth in the Settings window under Removable Devices.
- Click Remove USB controller under Advanced USB Options
- In the confirmation dialogue box, click Remove.
To be used at work:
- Choose a virtual machine from the Library pane, and then select VM > Settings.
- Go to the Hardware tab in the Virtual Machine Settings dialog.
- Click on the USB Controller Entry and then click Remove.
VMware provides details on CVE-2022-31702 which is a critical vulnerability (CVSS v3 9.8) that permits command injection using the vRNI API of vRealize network Insight versions 6.2 through 6.7.
A less serious (CVSS version 7.5) directory traversal flaw CVE-2022-31703 is also mentioned in the security notice. This could allow a threat actor access to arbitrary files on the server. This flaw affects the same products as mentioned.
These vulnerabilities are not affecting VMware vRealize network Insight 6.8.0.
Software vendor released security updates in response to the issue for all affected versions. See the table below.
These flaws cannot be fixed by any means other than upgrading to the most current version available for your branch.