Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-22045: VMSA-2022-0001

VMware ESXi (7.0, 6.7 before ESXi670-202111101-SG and 6.5 before ESXi650-202110101-SG), VMware Workstation (16.2.0) and VMware Fusion (12.2.0) contains a heap-overflow vulnerability in CD-ROM device emulation. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

CVE
Open in Source
#vulnerability#mac

Advisory ID: VMSA-2022-0001

CVSSv3 Range: 7.7

Issue Date: 2022-01-04

Updated On: 2022-01-04 (Initial Advisory)

CVE(s): CVE-2021-22045

Synopsis: VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)

Share this page on social media

Sign up for Security Advisories

****1. Impacted Products****

  • VMware ESXi
  • VMware Workstation
  • VMware Fusion
  • VMware Cloud Foundation

****2. Introduction****

A heap-overflow vulnerability in VMware Workstation, Fusion and ESXi was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

****3. VMware Workstation, Fusion and ESXi updates address a heap-overflow vulnerability (CVE-2021-22045)****

The CD-ROM device emulation in VMware Workstation, Fusion and ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.7.

A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit this vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.

To remediate CVE-2021-22045 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds for CVE-2021-22045 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Successful exploitation requires CD image to be attached to the virtual machine.

VMware would like to thank Jaanus K\xc3\xa4\xc3\xa4p, Clarified Security working with Trend Micro Zero Day Initiative for reporting this vulnerability to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

ESXi

7.0

Any

CVE-2021-22045

7.7

important

Patch Pending

KB87249

None

ESXi

6.7

Any

CVE-2021-22045

7.7

important

ESXi670-202111101-SG

KB87249

None

ESXi

6.5

Any

CVE-2021-22045

7.7

important

ESXi650-202110101-SG

KB87249

None

Workstation

16.x

Any

CVE-2021-22045

7.7

important

16.2.0

KB87206

None

Fusion

12.x

OS X

CVE-2021-22045

7.7

important

12.2.0

KB87207

None

Impacted Product Suites that Deploy Response Matrix Components:

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

VMware Cloud Foundation (ESXi)

4.x

Any

CVE-2021-22045

7.7

important

Patch Pending

KB87249

None

VMware Cloud Foundation (ESXi)

3.x

Any

CVE-2021-22045

7.7

important

Patch Pending

KB87249

None

****4. References****

****5. Change Log****

2022-01-04 VMSA-2022-0001
Initial security advisory.

****6. Contact****

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE