VMware released patches for several vulnerabilities affecting VMware ESXi, Workstation, Fusion and Cloud Foundation on Tuesday after security researchers participating in China’s Tianfu Cup discovered the issues.
The company published a security advisory, VMSA-2022-0004, and told ZDNet that they encourage customers to deploy their products “in a security hardened configuration” while also applying all updates, security patches and mitigations. The advisory covers CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043 and CVE-2021-22050.
“VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller.VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.4. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host,” the company explained, adding that VMware ESXi, Workstation, and Fusion also contained a double-fetch vulnerability in the UHCI USB controller.
“These issues were discovered as part of the Tianfu Cup, a Chinese security event that VMware participates in. These vulnerabilities were reported to the Chinese government by the researchers that discovered them, in accordance with their laws,” VMware said in another FAQ on the issues.
VMware also said ESXi contains an unauthorized access vulnerability due to