Vulnerabilità critica – VMSA-2022-0004 – VMware ESXi, Workstation e Fusion

Riporto dettagli da comunicazione ufficiale VMware:

https://www.vmware.com/security/advisories/VMSA-2022-0004.html

Known Attack Vectors

A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host.
Resolution:

To remediate CVE-2021-22040 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

Workarounds:

Workarounds for CVE-2021-22040 have been listed in the ‘Workarounds’ column of the ‘Response Matrix’ below.

Additional Documentation:

A supplemental blog post was created for additional clarification. Please see: https://via.vmw.com/vmsa-2022-0004-qna.

Prodotti Impattati:

• VMware ESXi
• VMware Workstation Pro / Player (Workstation)
• VMware Fusion Pro / Fusion (Fusion)
• VMware Cloud Foundation (Cloud Foundation)

Link utili:

• https://kb.vmware.com/s/article/87617
• https://kb.vmware.com/s/article/87613
• https://kb.vmware.com/s/article/87349
• https://core.vmware.com/vmsa-2022-0004-questions-answers-faq#section1
• https://docs.vmware.com/en/VMware-vSphere/6.5/rn/esxi650-202202001.html

Response Matrix: – 3a & 3b

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
ESXi	7.0 U3	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	ESXi70U3c-19193900	KB87349	FAQ
ESXi	7.0 U2	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	ESXi70U2e-19290878	KB87349	FAQ
ESXi	7.0 U1	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	ESXi70U1e-19324898	KB87349	FAQ
ESXi	6.7	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	[1] ESXi670-202111101-SG	KB87349	FAQ
ESXi	6.5	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	ESXi650-202202401-SG	KB87349	FAQ
Fusion	12.x	OS X	CVE-2021-22040, CVE-2021-22041	8.4	important	12.2.1	KB87349	FAQ
Workstation	16.x	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	16.2.1	KB87349	FAQ

Impacted Product Suites that Deploy Response Matrix 3a & 3b Components:

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
Cloud Foundation (ESXi)	4.x	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	4.4	KB87349	FAQ
Cloud Foundation (ESXi)	3.x	Any	CVE-2021-22040, CVE-2021-22041	8.4	important	3.11	KB87349	FAQ

---

Alessandro Romeo