Daniel Jones
VMSA
VMware
Security Alert
In this article:

Happy New Year and welcome to 2022. I’d love to spend loads of time catching up but we’re going to have to dive right in, because we’re here with our first VMware Security Advisory (VMSA) of the year. It seems that 2022 is ready to carry on right where 2021 left off, with Common Vulnerabilities and Exposures (CVEs) left, right and centre. 

On the 4th of January, VMware announced a VMSA, number 2022-0001, which covers one CVE. CVEs like this provide definitions for publicly disclosed cybersecurity vulnerabilities and exposures, and this VMSA provides VMware’s resolution information.

In response to this, our Runecast development team deployed the fix today, the 5th of January, maintaining our mission to react to each and every VMSA within 24 hours for our customers. The fix is now available in the latest definitions release, version 6.0.4.3, which is available for download. Customers with automatic updates enabled will receive the new definitions during the next update cycle, with offline updates available, as always, through the Runecast customer portal.

Below is the technical information about the CVE and VMware’s response. We post these to keep you informed and up to date with what Runecast Analyzer covers, but if you have any questions at all please don’t hesitate to contact us and we will discuss it with you.

Heap-overflow vulnerability in VMware Workstation, Fusion and ESXi (CVE-2021-22045)

VMware was privately informed about a heap-overflow vulnerability in VMware Workstation, Fusion and ESXi. To be precise, the CD-ROM device emulation has the vulnerability. VMware has classed this vulnerability as Important.

The risk is that a malicious actor with access to a virtual machine with CD-ROM device emulation could exploit this vulnerability, in conjunction with other issues, to execute code on the hypervisor from a virtual machine.

  • The vulnerability affects the following products: ESXi versions 6.5, 6.7 and 7.0, Workstation 16.x and Fusion 12.x.
  • In addition to these the VMware Cloud Foundation (ESXi) versions 3.x and 4.x are affected. 

Workarounds have been provided for all the affected products, with patches for Fusion, Workstation and ESXi versions 6.5 and 6.7. There is a patch pending for ESXi version 7.0 and the Cloud Foundation versions. 

See recent CVEs that Runecast has covered

Runecast enables IT Security and Operations teams with simpler, proactive approaches to ITOM and CSPM, in a single platform. With Runecast you mitigate risk, increase efficiency, reduce costs and ensure mission-critical stability – for VMware, AWS, Kubernetes, Azure, and now with OS-level coverage.

Meet other Runecasters here:

Get a free 14-day trial of Runecast

Try Runecast Analyzer’s secure, on-premises cloud transparency in your VMware, AWS & Kubernetes environment free for 14 days.

Request a free trial