Summary
Multiple VMware Products are vulnerable to High-Severity flaws. Successful exploitation of the flaws could allow a malicious actor with local administrative privileges on a virtual machine to execute code as the virtual machine’s VMX process running on the host. It could also allow the adversary with access to settings to escalate their privileges by writing arbitrary files.
Affected Systems
- VMware ESXi
- VMware Workstation Pro / Player (Workstation)
- VMware Fusion Pro / Fusion (Fusion)
- VMware Cloud Foundation (Cloud Foundation)
- VMware NSX Data Center for vSphere (NSX-V)
- VMware Cloud Foundation (Cloud Foundation
Following are the flaws
- CVE-2021-22040 (CVSS score: 8.4) – Use-after-free vulnerability in XHCI USB controller
- CVE-2021-22041 (CVSS score: 8.4) – Double-fetch vulnerability in UHCI USB controller
- CVE-2021-22042 (CVSS score: 8.2) – ESXi settingsd unauthorized access vulnerability
- CVE-2021-22043 (CVSS score: 8.2) – ESXi settingsd TOCTOU vulnerability
- CVE-2021-22050 (CVSS score: 5.3) – ESXi slow HTTP POST denial-of-service vulnerability
- CVE-2022-22945 (CVSS score: 8.8) – CLI shell injection vulnerability in the NSX Edge appliance component
Recommendations
- Apply the security updates released after testing.
Reference
https://thehackernews.com/2022/02/vmware-issues-security-patches-for-high.html
